Support rapid delivery of secure software with DevSecOps
As digital transformation and enterprise cybersecurity technologies continue to advance – along with the cyberthreats that challenge them – so too does the need to adopt robust tools and techniques for secure, rapid software development. Organizations face challenges not only in preventing the introduction of vulnerabilities during development but also in ensuring that deployments are secure and compliant.
That’s where DevSecOps can help. A mix of development, security, and operations, DevSecOps is a process that integrates security into every phase of software development, from initial design to delivery. Traditionally, security has often been “bolted on” to software, almost as an afterthought, at the end of the development cycle. But as developers began using Agile and DevOps development methods, this after-the-fact implementation of security created bottlenecks in software delivery and introduced issues with functionality. DevSecOps, by contrast, addresses security issues as they occur.
Today, more than one in four (27%) businesses have adopted DevSecOps/DevOps, according to a GitLab survey of over 3,650 respondents from 21 countries. Only Agile/Scrum has been more frequently adopted (see Figure 1).
A transition to DevSecOps will entail more than just implementing automated security tools, however. This development model aims to help businesses proactively anticipate, rather than simply respond to, data security incidents. To that end, security is built into all phases of the development lifecycle to help reduce the costs associated with addressing security flaws.
Other benefits can include:
- Continuous delivery of software in an abbreviated development lifecycle
- Automated software builds and testing
- Rapid response to change requests and needs
- Improved communication and collaboration across teams
- Early identification and resolution of code security vulnerabilities
- Lower costs of repairing security flaws
- Fewer deployment issues
- More rapid recovery from failure
If you’re considering adoption of DevSecOps, you’ll need to first understand the evolution of software development. As the saying goes, “You can’t know where you’re going until you know where you’ve been.”
The evolution of software development
Over the past two decades, software development processes have evolved from traditional linear approaches like the Waterfall method to more iterative approaches that allow developers to continually test for flaws. Following is a brief overview of software development approaches:
Waterfall: This model consists of sequential phases (such as requirement gathering, design, development, testing, and maintenance) in which the next stage cannot begin until the previous stage is completed. Because the Waterfall methodology follows a strict sequence of software development, any unplanned adjustments at the end of the development process can lead to challenges and delays.
Agile: The Agile model replaces the Waterfall’s strict sequences with continuous, iterative development and testing throughout the software development lifecycle (SDLC), executed by cross-functional teams. The most popular Agile framework, Scrum, focuses on delivery cadences called sprints and a meetings structure that includes planning, review of backlog items, and daily stand-up sessions.
DevOps: Through a combination of people, processes, and technologies, DevOps enables continuous integration and software delivery. DevOps represents a cultural shift over its predecessors. While Waterfall is linear and Agile organizes project activities into distinct phases, DevOps automates and integrates processes among software development and IT teams, which enables them to release software faster.
DevSecOps: Taking DevOps one step further, DevSecOps integrates security into DevOps processes, bringing them together in a collaborative culture. The objective is to strengthen application security by introducing a variety of security techniques early in the development process, rather than after product release, which can help reduce the number of flaws that make it that far and thus the costs of fixing them. Development teams are enabled to execute security tasks independently.
As the paradigm shifts, strong security becomes a key deliverable.
7 steps for making the move to DevSecOps
Adoption of DevSecOps will require that you carefully consider a number of operational, technology, and employee knowledge factors. Steps in this transition include:
1. Define and implement security requirements during the design and development phases.
2. Implement a mechanism to monitor high-risk application deliveries while fast-tracking delivery of low-risk applications.
3. Select and implement automation and security scanning tools that meet the needs of your current environment, and use them for every development.
4. Integrate automated approval workflow throughout the change-management process.
5. Perform secure code reviews for every software deployment.
6. Provide security training for developers and code training for security professionals.
7. Develop security awareness and a collaborative culture in which staff feel comfortable reporting continuous feedback or potential anomalies.
At its core, DevSecOps is less about implementation of security tools and more about the combination of culture, development, policy enforcement, automation, and integrations of security requirements and considerations across the development lifecycle. You cannot realize productivity gains at the expense of strong security practices. The costs, resources, and reputational impacts associated with a security breach can easily outweigh any perceived efficiencies associated with omitting security from your development methodology.
Striking the right balance between innovation and management of related risks will require that businesses regularly reassess their existing development processes, technologies, and controls. Designing a tailored approach for transitioning to DevSecOps and regular risk assessments should be front and center in an organization’s path forward.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.