Andy Hague

20200103

Once the latest buzzword on everyone’s lips, DevOps is now ubiquitous. By 2018, 76% of businesses worldwide had begun implementing DevOps. In 30% of organisations, all or most teams were already operating in a DevOps environment.

But while DevOps adoption is now in full swing across most organisations, this doesn’t mean that the conversation around rapid, minimal-error development is done and dusted.

The next step is DevSecOps.

What’s DevSecOps?

As the name suggests, DevSecOps is about integrating security (Sec) into the DevOps methodology. But what does this mean in practice, and how does it differ from DevOps?

Traditionally, DevOps involves bringing the development and operations teams closer together to collaborate through quick, iterative cycles to develop and deploy code before updating it based on operational feedback. New applications and updates are gradually built with small packages of code. By taking this piece-by-piece approach, the two teams can rapidly create new releases.

But the marriage of dev and ops leaves out a third partner: security. In a standard DevOps environment, the security team is only involved in the final stage, to check for flaws and vulnerabilities in the release before it is pushed out.

In DevSecOps rather than leaving it until the last moment, security is included throughout the entire process. The security team retains its usual responsibilities, but works more closely with DevOps, carrying out frequent security checks at every stage of the development cycle, overseeing risk evaluation, creating and enforcing security policies, and directing incident response. Meanwhile the dev and ops teams receive comprehensive security training and use additional automated security tools to find and eliminate bugs as they work.

Why do I need it?

What’s wrong with the current situation as it exists? Why would any business undergo the upheaval of integrating security teams into the development process, when the dust has barely settled after the move to DevOps?

Because DevOps, while incredibly effective in terms of speed, can open up critical security flaws. It’s natural in a way – haste and care rarely go hand-in-hand.

DevOps is designed to rapidly create models that get the job done, not to spend time pondering over what could go wrong. This is a strategy that many agile businesses have favoured as it has supported the quick, flexible services of digital businesses like Uber and Netflix. But it can also carry huge risks.

To name just one example, in 2016 hackers stole the private data of 57 million users from Uber’s cloud platform, after accessing security credentials which had been stored in a private GitLab account (a tool popularly used by DevOps teams). The business was subsequently forced to pay $148 million in fines. Integrating security more fully into the DevOps process sooner might have helped to catch this flaw.

It’s incredibly common for new code to include vulnerabilities before it reaches the final security checks. Leaving security until so late in the development process means that when a flaw appears in a new app or update, and it reaches the security-check stage, one of two things will happen:

a.       The security team catch the flaw before release, and delay deployment while they fix it;

b.       They miss the flaw, and the insecure code goes live, opening the business to unnecessary dangers.

Any sudden delay to the development process can have a significant financial and reputational impact on the business, and the consequences of a data breach or successful cyberattack are even worse. As cybersecurity threats grow more advanced, this is no time for businesses to leave the backdoor open to potential attackers.

Before DevOps, development cycles were longer, giving more time to find bugs and security flaws – so leaving security until the final stage worked fine. But because dev cycles are so short now, security needs to get involved earlier.

Leaving security as an afterthought risks either holding up the development cycle, or missing security risks altogether. Fortunately, DevSecOps offers a way to mitigate these risks without compromising on the agility that DevOps has created for modern businesses.

You can learn more about why organisations need DevSecOps, and what it requires, in our whitepaper.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >