Opinion

The need for DevSecOps culture, and the way forward

The advancement of a DevSecOps culture can help break down longstanding silos that have confined abilities and overlooked security, and relieve overwhelmed

practitioners.

Jaykishan Nirmal Sep 27th 2018 A-A+
Jaykishan.jpg

We live in an era where cutting edge Software-as-a-Service (SaaS) is an offering for large organisations, as well as for your average Joe with a Smartphone. However, the competition in this field is unparalleled. SaaS and its allied fields, irrespective of your starting position, is an arena where only the vanguard wins.

To stay in the game, organisations are revving up their output, bringing out new software releases as quickly as their coders can type them. Emerging technologies like the cloud further reiterate the need for speed, with developers responding within seconds to consumer needs. Constant deployment is now an industry norm, with security often falling by the wayside.

Often we see software engineers working separate from security professionals, due to the incorrect bias that integrating security into code slows down the process. According to a research report, 49% of respondents indicated that code changes or releases needed to be deployed in a matter of days, and 67% responded that these changes were significant and occurred on a regular basis.

So there is no doubt as to the miniscule turnaround time allowed.  However, this leads to a market flooded with software untested for vulnerabilities and risks, leaving the system susceptible to innumerable threats. This is where a culture of DevSecOps has to be grown.

In a bid to speed up development processes and eliminate risks, an increasing number of organisations are deploying development security operations (DevSecOps) teams. DevSecOps teams essentially bake security solutions into software releases, significantly bringing down security risk.

This integrated nature leads to a wholesome product, far more efficient and devoid of the vulnerabilities faced by software that is instead sheathed in security, and in fact speeds up the entire process. It is essential for an enterprise to have a designated DevSecOps practice, in order to create a culture that takes its software security seriously. This creates a sense of accountability among the developers, where security ownership is shared between the developers and security personnel, explicitly breaking the siloes.

By collaborating with development teams, security professionals can figure out how to take security intelligence and integrate it into the code at the earliest stage possible. This philosophy of an upgrade on the older security model, takes continuous delivery as a constant and ensures the scalability of the product. It behaves as a single pane of glass for software solutions, providing delivery and risk assessment, and integrating it with performance as well as compliance features.

DevSecOps tools deliver actionable metrics. These platforms learn about various technologies, components and third party libraries to address zero-day attacks, understand real risk to the environment and prioritize security issues for remediation efforts.
Training is the simplest route to integrate a DevSecOps culture. With the appropriate security training, developers can learn to write software securely at the onset, preventing unplanned attacks downstream, significantly saving on time, cost and reputation.

A few methods to implement a DevSecOps culture are as follows:

  • Security code analysis: This implies building the code in smaller parts, and doing multiple smaller releases. This granular method enables the team to rapidly identify vulnerabilities before they are mistakenly released.
  • Compliance monitoring: This approach monitors compliance while the code is being developed, saving time during the auditing process.
  • Security feedback: Conducting vulnerability tests such as Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and regular penetration testing on underlying infrastructure. Needless to say, it is important to gather feedback on how secure the software is.
  • Security training: Training developers goes beyond the Open Web Application Security Project (OWASP) or on-site training as such, and include attending real life Hackathons, to be reminded of the very real nature of external attacks, and hence the absolute need for DevSecOps teams.

DevSecOps is still in the early days of adoption, but holds vast promise. It gives enterprises a significant advantage, and a way to leverage their pre-existing skill sets.

Securing emerging architectures, adapting to the cloud, improving application security, and automation of common security tasks are among top strategic security objectives of security professional across the globe. The advancement of a DevSecOps culture can help break down longstanding silos that have confined abilities and overlooked security, and relieve overwhelmed practitioners.

Jaykishan Nirmal is Senior Vice President at Aujas

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).