Back in 2008, Patrick Debois and Andrew Clay Shafer drew the beginnings of DevOps while discussing the concept of agile infrastructure.
DevOps is a methodology that unites software developers, IT operations with extensive automation with the shared goal of delivering high-quality products rapidly and securely. DevSecOps is about embedding security into these process and automation.
PwC says the adoption of DevOps is often associated with the integration of agile, which helps to accelerate IT deliveries, improve product quality, speed up the time to market, and eventually create business values.
The linkage between fast and unsecure
This call for accelerated rollout of applications, coupled with the rise in cyberthreats, is creating opportunities to make mistakes or holes that cybercriminals would be happy to tap.
Kevin Reed, chief information security officer (CISO) at Acronis says the situation is common. He says market pressure leads research and development (R&D) teams to desire to cut corners on security testing.
Gina Smith, PhD, research manager for DevOps at IDC Asia/Pacific, concurs and adds: “Faster software development lifecycles increase the potential for mistakes, which is especially dangerous in terms of security. This is one of the prime drivers of secure DevOps (DevSecOps) initiatives.”
Reed laments that some developers are not qualified to make judgements about the security implications of the software design choices they make. “As a result, business applications are not only ridden with vulnerabilities resulting from poor coding practices but also more fundamental flaws resulting from poor design decisions,” he added.
What’s wrong with fail fast?
In the digital transformation era, executives espoused the “fail fast” and with it “fail often” mantra. Dan Pontefract, author and leadership strategist, argues that the “fail fast, fail often” is creating a culture of people aiming for the short-term, living in a world of frenetic bedlam.
“Instead of calmly and intelligently iterating, employees race to complete something (failing) while racing to the next objective as quickly as possible. (failing, but quicker.),” Pontefract wrote.
Does the work ethos – fail fast – encourage this behaviour?
Dr Smith raised two points:
“You risk losing whatever gains DevOps got you in going back to fix the problems security finds. This shortfall is best addressed by integrating security early in the software development process – that is to say, shifting left,” she opined.
She added that the sooner enterprises can incorporate security, the better. Increasingly, leading enterprises are blending DevOps and security teams and bringing security into the earliest planning phases, automating everything possible and moving to a continuous security focus.
Editor's recommendation: Time-to-market pressures ups risks for substandard apps
Acronis' Reed opined that “fail fast” is opposite to a lack of testing and poor practices. Fail fast implies that of a software component observes an unexpected situation or input, it fails instead of trying to mitigate it.
“It also implies that such components are very “demanding” to the quality on input data. Many vulnerabilities are introduced because software tries to handle unexpected form of data (e.g. too much of it) instead of failing immediately,” he explained.
What leads to insecurity in DevOps?
Asked whether poor or a lack of integration between DevOps teams and third-party security vendors is one of the causes for releasing less than secure applications into production, IDC's Dr Smith concurred.
In her view, keeping security siloed the old-fashioned way is a big reason unsecure software hits production.
“The goal should be the elimination of such siloes and the creation of multidisciplinary digital innovation teams where developer, IT, business and, of course, security stakeholders share equal responsibility for the delivery of great software – and celebrate successes and bounce back and learn from failures in the process,” she suggested.
While Reed agrees, he believed it is not the most important one.
“I believe the largest source of problems is poor interaction between development, quality assurance, operations and security multiplied by market pressure. Security vendors play a role but it’s rather limited,” he added.
Welcome to DevSecOps.
Impact of COVID-19 on DevSecOps
With COVID-19 directly impacting revenues for many enterprises, including technology companies, Gartner cited the story of a CIO of a large tech firm asking the CISO to reduce spend by 10%.
Smith acknowledged a similar observation in Asia. “We’re seeing an inclination to slow down security spending for calendar year 2020 but increase it in 2021. Moreover, security expenditures are no longer driven just by compliance and risk analysis. Business agility now is shaping up to be the No. 1 driver of security initiatives in the reason,” she elaborated.
For his part, Reed does not see growth in spending in this area. It all depends on perceived relative value of various business elements.
“Given budget cuts, a company has to make a decision if they want to cut more on marketing, office costs, or producing quality software. Organisations make choices based on their strategy and cost constraints. Some of them make mistakes and later realized they have to carry an extra cost due to the risks they’ve accepted,” he added.
Taylor Armerding, a software security expert at Synopsys Software Integrity Group, says in DevSecOps, to do good while getting things done, you have to set application security priorities. Fix the biggest problems. Eliminate the worst threats.
“A major reason for conflict between development and security teams is developers’ perception that the security people “won’t let us do our job.” It’s impossible to eliminate every risk. But without a system to prioritise application security risks, your developers will waste their time on issues that don’t matter, such as false positives and known vulnerabilities that aren’t exploitable,” he concluded.
The Gartner Hype Cycle for Agile and DevOps, 2020 indicates that DevSecOps is in the early stages of mainstream adoption. Gartner estimates a 20-50% market penetration among DevSecOps' target audience, and places it within the "Slope of Enlightenment" on the Hype Cycle.
DevSecOps will reach mainstream adoption within 2-5 years, predicts Gartner.
Time to hone DevSecOps expertise and experience.