alphaspirit - Fotolia
How a DevSecOps process gives security a voice
Security teams have worked quietly in the background of software quality projects for years. The DevSecOps process puts the long-lost co-worker, security, front and center.
As data breaches make headlines, it's hard to quibble with the notion that security -- not just speed -- is essential to software development and delivery. Software professionals can switch up DevOps for DevSecOps.
The DevSecOps process is the natural evolution of DevOps, as it sandwiches security practices between development and operations. The term is relatively new, but the push to address security at each stage of the software lifecycle has been around since the source code scanner first emerged. Security isn't about building a wall around applications after the fact; it is about developers writing code that is inherently difficult to attack and testers finding potential flaws before a software release.
For security teams, these safety measures align with DevSecOps. So, what exactly is new about the DevSecOps process?
DevSecOps: Agile aftermath
The principles of DevSecOps are largely the same as those underpinning earlier application security efforts, said Brian Bertacini, president and CEO of AppSec Consulting.
"The idea of integrating security in all phases of the lifecycle has been around for a long time," Bertacini explained. "What has changed is the way we manufacture software." Bertacini noted how teams moved from waterfall to Agile, which emphasizes speed. "And, somewhere in the process, security was left out."
Teams are starting to work together as a whole to ensure that security stays on par with development and operations. The DevSecOps process enables this unification of culture.
DevSecOps improves the culture
When Bertacini hears customers use the term DevSecOps, it signals a shift in accountability. "Someone at a high level is taking ownership of security." In Bertacini's view, top executives got serious about security in the wake of the December 2013 Target breach, in which a reported 40 million credit cards were compromised. Before that, a culture of security had not taken hold in most organizations, he said.
"When CSOs told developers how to [write secure code], they were overstepping their bounds," Bertacini noted. Without an established security culture, their message fell on deaf ears.
A DevSecOps practice is essential in order to create a culture that takes software security seriously. "The coolest thing about DevSecOps is that it recognizes security is a shared responsibility," said Dan Cornell, a principal at Denim Group. The security measures are built on DevOps, which is a more open culture than earlier development approaches.
"Sticking security in the middle is important," Cornell said. DevSecOps also conveys the idea that "developers are accountable for the results of what they do. If [the code] breaks, they have to fix it," added Pete Chestna, director of developer engagement at CA Veracode. That thinking represents a marked departure from the prevailing mindset around developers and their code.
Secure a voice in DevSecOps process
DevSecOps offers a significant practical advantage for security teams. "It allows security teams to get more leverage," Cornell said. "Security teams are small, and they are outnumbered. They have to push security activities out to the edges." According to Cornell, DevSecOps culture helps them do that. "How do I take advantage of the people I can influence and leverage? That's what CSOs are asking."
DevSecOps helps CSOs work with their development peers side by side. "You measure and report everything from a security aspect," Chestna explained. Running security scans on a regular basis lets CSOs see where the problems are and apply developer training accordingly.
"It's like monitoring your blood pressure," Chestna said. "When you do it once a year in the doctor's office, you know nothing." But if you do it every day, you can see what's happening and take the necessary steps to fix it.
DevSecOps is relatively new, and many organizations haven't adopted it yet. "But I am optimistic," Bertacini said. "When I started as an application programmer, developers sat on one side of the building -- operations, on the other. Now, we are integrating security as well," he said, optimistic that additional collaborative cultures will emerge.