For a long while, development and security teams worked in separate worlds. Each team has its head or chief officer, a department, a PnL, goals, concepts, and even best practices.
They also eyed each other suspiciously. Many developers saw security as restraining their agility and creative ethos. Security teams, meanwhile, felt they must put in restrictions while seeing their responsibilities broaden with data privacy.
The rise of DevOps blurred the lines between security and software development. By its very nature, agile development offers agility and speed in app development and deployment, with cloud-based development and dynamic provisioning making it economically viable and more accessible.
“As developers take more ownership of the infrastructure and cloud services required for their applications to run, they are also inherently taking on more responsibility regarding securing that infrastructure,” says Lawrence Crowther, head of solutions engineering at APJ at Snyk.
“There are many practical benefits of this approach, including codifying configuration as code to help with automation, finding vulnerabilities early in the dev cycle, and securing the software supply chain itself.”
Meanwhile, security and testing teams were watching this development with apprehension. So, they decided to shift left, i.e., move the testing earlier in the SDLC.
“Security teams need to engage very early in a new project to set the guidelines and guardrails for developers to follow during the development phases,” comments Crowther.
“It is much easier and cheaper to establish a good security posture at the beginning rather than it being an afterthought when the application has been deployed to production. It also allows for continuous updates and changes to be made without re-tooling or re-architecture.”
The two teams were heading for a crash. But that’s when the concept of DevSecOps started to take root, offering a platform for both teams to collaborate — at the very least, communicate.
Rethinking security in an agile world
The key to DevSecOps deployment and adoption relies on collaboration.
“DevSecOps requires collaboration from engineers, operations, and security teams to be aligned on a single goal. In order for a security program to scale, each of the team's needs to provide input into how the process will scale through CI/CD. This is much about the process as it is about the tools,” explains Crowther.
It is part of the four vital components that make up a proper DevSecOps strategy.
The first is creating awareness and improving understanding. Developers do not like intrusive security oversight to restrict their development creativity, but supply chain attacks and vulnerabilities in open source are shifting attitudes.
Crowther believes the best way to teach software engineers is by using other engineers.
“Developing a security champions program with engineers teaching other engineers about security best practices can go a long way in adopting security practices and reducing resistance,” says Crowther.
Another significant component is tools, especially when not all tools are made the same; companies need tools that integrate tightly into the SDLC, so they do not disrupt how developers work in their day-to-day job.
“These tools should also focus on automation. It is the only way to scale DevSecOps. Having a good and flexible CI/CD pipeline strategy allowing you to scan all parts of your application and infrastructure (code, open-source libraries, containers, and cloud services) will minimize the risk of having issues in production,” says Crowther.
“If changes to production need to be made, they are done in code and deployed through the pipeline rather than manual changes,” he adds.
It’s the reason why Snyk puts a lot of effort into making their tools developer-friendly and uses automation to fix vulnerabilities in code, open source dependencies (remember Log4j?), containers, and infrastructure as code (IaC) — an effort that saw the company seen as a visionary in Gartner’s magic quadrant for application security testing.
The company is also continually acquiring and working closely with major companies, including acquisitions of CloudSkiff and Fugue.
Metrics are equally important. “Effective measurements of improvement over time to increase security posture overall or reduce risk exposure,” says Crowther
Culture is king
The last component of a successful DataSecOps strategy is creating the right culture. Developers, operations, and security teams need to see themselves as part of a single team, not separate ones.
As Crowther notes above, the best way to create such a culture is through a security champions program.
“This is when software engineers who have a security interest start enabling other engineers and running educational programs,” he explains.
It also drives empathy, allowing developers to see how security can enable better development.
“When you have an engineer who has empathy for other engineers and who has their best interest in mind other developers get excited about security,” says Crowther.
Another reason why such a program will help DevSecOps is talent. Companies have far more developers than security specialists, in some cases, the ratio is 10:1.
“The only way to scale secure development is through the engineering organization by having the security team empower and support developers,” says Crowther.
This ability to scale secure development will only get more urgent as the market demands faster deployment cycles and has no patience to wait for other releases. Whether DevOps and security teams talk to each other will no longer matter, as users will vote with their wallets and swipes.
Winston Thomas is the editor-in-chief of CDOTrends and DigitalWorkforceTrends. He’s a singularity believer, a blockchain enthusiast, and believes we already live in a metaverse. You can reach him at [email protected].
Image credit: iStockphoto/Jordi Mora Igual