First, there was Dev, the development of platforms, solutions, and services that allowed organisations to refine their offerings and competitiveness. Then there was DevOps, a shift in IT delivery and development that focused on speed, agility, and lean methodologies to drive innovation and collaboration across teams. Now, there is a new sheriff in town, toting its heavyweight security considerations amidst the maelstrom of design and development – DevSecOps. It is, according to Mandla Mbonambi, CEO of Africonology, the integration of development and security operations that allows for the embedding of security protocols and considerations throughout the DevOps process.
“DevSecOps pulls a new team into the conversation – security,” he says. “It’s an imperative driven by the need to ensure that security remains at the forefront of collaboration and development, not something that’s brought in at the end when the loopholes are set and the gaps widen. With this level of integration, it allows for the organisation to pivot and innovate at speed but within the highly relevant constraints of security.”
According to a Deloitte Insights paper – DevSecOps and the cyber imperative – DevSecOps allows for organisations to ‘enhance their approaches to cyber and other risks’. It ensures that security, privacy, policy, and controls are embedded into the DevOps culture from the outset, allowing deeper integration of security throughout the lifecycle of innovation. In light of how vast the cybercrime landscape has become, and how sophisticated the threat vectors, it’s almost a surprise that DevSecOps has taken so long.
“Ultimately, organisations have to consider the governance, risk, and compliance (GRC) mandates that impact on their security stance across all areas of the business,” says Mbonambi. “This is further complicated by the tenets of GDPR, that are far-reaching, the incoming Protection of Personal Information Act (POPIA), and the regulations around security that govern the US, Asia, and Australia. Ensuring that security is embedded within any solution has become mandatory to ensure global competitiveness and alignment.”
DevSecOps is neatly defined by Deloitte as being ‘an evolution of DevOps culture and thinking’ – it doesn’t disrupt the cyber agenda, it enhances it, allowing for DevOps to innovate and iterate without worrying that they may compromise security. Unfortunately, in as much that DevSecOps feels like an intuitive step forward, it is one that few organisations understand or know how to implement. Logz.io’s 2018 DevOps Pulse Report found that most DevOps professionals aren’t prepared for security – 76% were either in the process of implementing DevSecOps or hadn’t even begun to consider it. This is partly due to a lack of understanding, but also the limited skill pool. There just aren’t enough skilled security professionals available to support DevSecOps development.
“It’s worth looking to partnering with an organisation that understands the tenets of DevSecOps and that can work with DevOps teams to provide relevant security insight and support,” says Mbonambi. “This will not only allow for the organisation to embed security into the DevOps teams more efficiently, but it will ensure that they have access to the latest processes and tools from security specialists at the top of their game.”
In addition to putting tighter locks around DevOps innovations, DevSecOps offers a variety of benefits to the organisation. It isn’t all box ticking and compliance, the business also gets to enjoy some significant cost savings thanks to the speed at which issues are identified and resolved. Vulnerabilities aren’t found after release; they are uncovered in rigorous ongoing testing throughout the DevOps process. This, in turn, assures of faster recovery that will reduce downtime and the number of incidents, and improved threat hunting that catches flaws before they affect the company’s reputation. The obvious benefit is improved overall security – DevSecOps can be used to test and assess legacy systems alongside the new – and the creation of a more transparent process that has all members of the DevSecOps team collaborating and sharing information openly.
“DevSecOps testing allows for constant improvement and iteration within tight security parameters but without slowing innovation to a crawl,” concludes Mbonambi. “It can allow for the team to build in robust systems that can be used to test across multiple projects and that can potentially improve software delivery and product differentiation. It may be a relatively new concept, but it is one that can be seamlessly integrated into the DevOps environment and that can add enormous value.”
DevSecOps can remove the need for expensive redevelopment and redesign, align the organisation more tightly with GRC, address risk at the outset, improve quality and minimise the need for patching down the line. With the right DevSecOps partner, the skills challenge can be deftly overcome while still retaining the competitive advantage.