How does DevSecOps fit in the DevOps world, where security can impede speed?
If one were to posit the question “What is the one thing that is revolutionizing the technology ecosystem now?”, the answer might be: Internet of Things (IoT), artificial intelligence (AI), robotics, or some new-fangled system on the horizon.
But for those who have seen technology come and go, the next new thing is not something abstract and years in the offing, but a methodology that drives the app-driven global economy we live in today: DevSecOps.
In fact, according to Infoholic Research, the global development, security, and operations (DevSecOps) market is expected to gain an uptick over the course of the next few years with Asia Pacific markets (in particular Singapore, Japan, China and India) showing an increased interest in the DevSecOps platform.
Where DevOps converges software development and operations as a cultural approach to tearing down silos thereby enabling more improvements and features to be added rapidly, DevSecOps advocates the integration of security into the development workflow from day one.
DevSecOps, in essence, makes real the oft-derided moniker “security by design” (for being a marketing buzzword frequently trotted out by technology providers).
Where does DevSecOps fit in a DevOps world?
Just as DevOps requires a new mindset to embrace new approaches to software development, DevSecOps is a methodological approach that requires practitioners to prioritize security in the continuous integration and continuous delivery (CI/CD) pipeline. Remember: many developers are not security experts, and vice versa.
How well security is integrated into the software development life cycle (SDLC), often fast-paced and dynamic in a DevOps environment, is a question that also requires examining the security testing tools and best practices organizations use to help them keep pace.
The app landscape that organizations faced today has become increasingly complex, where apps are no longer updated on an annual basis, but potentially daily. With the DevSecOps process not always straightforward, IT organizations need to study their pipelines in-depth to understand the type of information and potential vulnerabilities that follow in order to achieve a measure of success.
From the security testing tools used to the inclusion of security teams in customer meetings as early as possible, DevSecOps ensures that IT security and app security is everyone’s business.
Think about it this way—when was the last time you actually properly cleaned your vacuum? Well, cleaning equipment is just as important as they provide us with an additional sense of security – cleaner environment, slimmer chance of harmful illnesses, and so on.
Security over speed
Another issue DevOps’ practitioners experienced when jumping into DevSecOps is speed. When application security tools (AST) are deployed, for instance, IT teams generally expect a slower runtime to completion.
While this minor drawback may threaten to place security in a tough spot among organizations that prioritize speed and agility, rolling back security is not an option. What organizations can do on their part, however, is work towards minimizing the cost of having any added time.
For instance, some practical issues like ensuring the tools and technologies identified work best in containers, and even making sure the AST tool used is not negatively impacting the ability to easily scale the container.
This can happen if an AST tool has a large image footprint or relies on having to store the data in containers. But it is also fact that AST tools take time to run, and they can slow down the overall CI/CD pipeline.
Interestingly, the CI/CD pipeline was in fact never conceptualized with security at top of mind, but rather on speed and convenience. With the introduction of DevSecOps, the responsibility now lies on everyone involved to ensure that security is intrinsically part of the development process. This approach may be viewed as an innovation blocker due to its slow development pace, but by keeping security top of mind, IT organizations can now avoid loss and damage in the case of a threat.
DevOps, by virtue of its rapid iteration should focus on speed of improvements, and have security as an integral feature, today it is simply not a key “feature”. Until DevOps and DevSecOps become the same thing, the latter will serve as the temporary offshoot of sorts to highlight the role of security in application development.