Despite the technological advances of recent years (or perhaps because of them), the number of threats on the internet continues to rise. In fact, a 2022 survey from ThoughtLab found that the number of breaches suffered by organizations rose by 20% between 2020 and 2021.
This increase in attacks has caused widespread concern in the security industry. GitHub found that 43% of security professionals feel “somewhat” or “very” unprepared for the future – and that’s a serious issue.
As a security consultant and founder of Dynaminet, I have more than 20 years of experience in the fields of DevOps, and, more recently, DevSecOps. I’ve watched the rise in cyberattacks with concern, and I believe we must reverse this disturbing trend. From my vantage, the best solution is the wholesale adoption of DevSecOps practices and policies that continue to embed security increasingly earlier into the development pipeline.
I’ve spent a lot of time contemplating how to help organizations embrace DevSecOps principles, which is how I eventually came to write the book, DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement. To understand why and how to implement DevSecOps, we first need to understand what DevSecOp is and how it differs from DevOps.
DevOps or DevSecOps?
Traditionally, developers write the code for applications and software, as well as patches, fixes, and updates. Once created, they pass their code off to the operations team for testing and eventual deployment. If the code contains errors or other problems, the operations team sends it back to the Dev team to be fixed. The resulting back-and-forth can slow down even simple projects, causing some internal tension in the process.
To resolve this ongoing tug-of-war, the process known as DevOps was born. DevOps integrates the development and operations teams from design through deployment, allowing problems to be caught and resolved earlier in the software pipeline and automating much of the testing needed for deployment. DevOps is a game-changer because it removes the headache associated with siloed teams and reduces the time it takes to bring software to market.
Sounds great, right? It is, but with one caveat: security. The DevOps system often overlooks (or bypasses) crucial security checks that would prevent breaches down the road. In fact, research from Delinea (formerly ThycoticCentrify) found that 57% of organizations surveyed were the victim of at least one security incident due to exposed secrets in DevOps.
DevSecOps seeks to solve the security issues created by DevOps. As the name implies, it integrates security into the DevOps environment, ensuring security is a core tenant of the software development process instead of an afterthought or siloed check.
The 3 Layers of DevSecOps
Properly implementing DevSecOps isn’t as simple as dropping a security expert into the development or operations team. DevSecOps requires buy-in from stakeholders throughout an organization, as it contains multiple layers that need to be understood to function properly.
Layer 1: DevSecOps Education
Proper security education is foundational to implementing DevSecOps. Organizations need to ensure that those involved with software development and the CI/CD pipeline are consistently learning how to do security, whether it’s through structured courses, self-paced learning, or even experimenting to find ways to keep software and applications secure. Continuous education is even more important when we consider that the world of application security is evolving. It’s vital to stay up to date to keep code (and organizations) safe from attack.
Layer 2: Secure by Design
Having secure infrastructure and secure code at every stage of the development process is crucial to the success of DevSecOps. After all, what’s the point of working to make sure engineers and developers know how to keep things secure if they aren’t implementing security throughout the development lifecycle? It can be difficult to ensure that everything under development is designed and coded securely from the ground up, but with the average total cost of a data breach at $4.24M, it's best not to rush to deployment.
Layer 3: Security Automation
Once a solid education foundation is complemented with securely designed code, organizations need a way to make sure their DevSecOps efforts are maintained. Security automation tests software, application, and infrastructure security to verify that DevSecOps practices are effective. Automated tests like SCA scanning and IaC scanning can efficiently identify critical vulnerabilities before deployment – a necessity in the fast-paced world of modern software development.
Securing the Future
DevSecOps practices are rapidly being adopted, but the number of serious breaches continues to rise as well. If we want to ensure a secure internet future, we must make security a priority from the start.
The current mindset around software development favors speed: faster design, faster coding, and faster to market. But we need sustainable long-term solutions to keep the internet safe. We need to take a step back and focus on implementing effective DevSecOps practices.
To learn more about DevSecOps, be sure to watch my full conversation with Steve Giguere on Season 2 of DevSecTalks, where I discuss the foundational elements of DevSecOps and how to implement effective practices at an organizational level. For a closer look at my recommendations for establishing a security-first culture within your DevOps teams, you can also check out my book, DevSecOps: A leader’s guide to producing secure software without compromising flow, feedback and continuous improvement.
Did you enjoy this episode of DevSecTalks? Tune in to our other sessions to hear from more industry experts who are building the future of cloud security.