The DevSecOps evolution — incorporating security into DevOps practices
According to IDC estimates, the worldwide DevOps software market achieved a level of $8.5 billion in 2019, up from $2.9 billion in 2017. Driven by the need for faster innovation, a shift towards microservices architectures and the evolution of automation and collaboration tooling, the DevOps juggernaut has dramatically changed how enterprise software is built. However, despite more than 90% of companies in a recent survey stating that DevOps had a direct impact on business metrics, 85% of respondents have faced barriers in their DevOps implementation.
DevOps is not easy. It’s more than a set of automation tools and agile processes; it’s a mindset and culture. And, for many traditional industries and organisations change is a journey with plenty of roadblocks in shifting mentality and processes to order to inject DevOps earlier in the development process. In making the transition, one major roadblock is around shifting traditional security processes so that they become embedded in your DevOps activities. In an emerging movement towards DevSecOps, DevOps teams aim to incorporate security into their CI/CD (Continuous Integration / Continuous Delivery) pipelines, in a “shift left” paradigm, moving from a final blocking security review into a layered approach across the whole software development lifecycle (SDLC).
Seven Reasons to Justify a DevSecOps Journey
In this post, we explore seven reasons why security needs to be embedded in DevOps practices.
Lack of expertise is the number one security problem. It is a lot to ask software engineers to deliver the functional requirements but also the underlying non-functional requirements like performance, scalability or security. By leveraging DevSecOps practices throughout the software development lifecycle, your team is security-aware from the first line of code and the first component of infrastructure. This really changes the mindset and helps to deliver better products and services. By integrating security into your engineering processes, and establishing KPIs around this, you can set a path towards success.
Companies are often unaware of potential security threats until they are exploited. Vulnerability scanners, monitoring tools and penetration testing among others offer invaluable information about threats that may have previously been undetected. As a result, the global security testing market is forecast to grow at a compound rate of 20.7% between 2019 and 2027. Being able to identify vulnerabilities across your software and infrastructure components is a key part of a solid governance strategy.
Contrary to popular belief, DevSecOps can help you speed up your release cycles. Traditionally, security has been a blocker as it entailed a series of non-functional requirements that were reviewed at the latter stages of the software development lifecycle (SDLC). With DevSecOps, this changes dramatically: Security is pushed to the early stages of the process — this is called ‘shift left’ in the industry. The main advantage is the ability to identify and fix problems earlier in the delivery pipeline, avoiding flawed builds being deployed into production and thereby saving time and resources.
DevOps activities need to empower developers to release to production multiple times a day with a single click. This can create a gaping security hole because the number of people with access to mission-critical systems can grow significantly. However, embedding security into DevOps automation increases confidence in the system’s integrity. With the right combination of technology and processes, the required level of security can be achieved, including enforcing PCI or HIPAA compliance.
Delaying security to the later stages of the development process is difficult to plan for. How can you know how many defects will be spotted? How long will it take to fix them? DevSecOps promotes the idea of adding security checkpoints to every phase of the pipeline. This reveals defects from the very moment the software is conceived, allowing the engineers to fix them early in the pipeline. It also allows everyone to plan because the final security review simply ensures that all the steps have been properly assessed and vulnerabilities managed accordingly.
Audit trailing is already a legal requirement in financial systems, but we argue that it should now be required in most software components because it allows the engineers to trace and audit entire transactions (user actions, automated operations, etc. ) in order to reproduce issues or attacks. DevSecOps encourages teams to build systems in ways that are easily auditable. Log collection, event sourcing and event monitoring are just some of the techniques used by DevSecOps engineers to ensure your systems are transparent and facilitate the required governance.
Containers filled with microservices get deployed and rescheduled unpredictably on your platforms. Only automated systems can keep up with that fluid behaviour. Intervention by humans can no longer keep up. Runtime monitoring coupled with rule-based or AI-driven automated containment is the only way to keep these highly dynamic application landscapes safe.
7. Unique Selling Point
It doesn’t matter if you are selling a service or a product, your customers need to be confident that their data is safe. Building your SDLC on a strong security foundation is a very strong selling point. Security is now table stakes for many enterprises — and it’s even a requirement in cases where the customer is audited for ISO-27001.
Ready for the Journey to Secure DevOps?
Architecting DevOps processes and systems with a focus on security accelerates software delivery even further. Shifting security to “the left” and automating every security measure possible reduces surprises and frustration along every step of the process. It doesn’t matter if you are starting a new project or thinking of transitioning to DevOps, security has to be centre-stage to prevent outages in your systems.
At NearForm, we are firm advocates and practitioners of DevSecOps activities supporting companies in the transition to what we call DevOps AID: Assess, Implement, Direct. If you want to hear more about it, contact us and we will provide a plan with the steps you need to take to optimise your DevOps in a secure way.