Secure Cloud Innovation?

As more agencies create and migrate systems to the public cloud, information security (InfoSec) is having to keep up the pace with the rapid innovation and new application delivery. InfoSec integration throughout the application delivery process needs to improve based on the security news of breaches and data leaks.

One way to improve security integration is through the use of Development Security Operations (DevSecOps). Over the last few years, there has been a significant increase in teams of different sizes using DevSecOps as the way they secure their System Development Lifestyle Cycle (SDLC), Continuous integration / Continuous Delivery (CI/CD) pipelines, and products (systems).

However, many clients and teams are still learning about DevSecOps and how it can help improve their security posture and mindset, particularly for cloud-native and public cloud systems. In this article we’ll discuss what DevSecOps is, how it helps secure systems, and the DevSecOps adoption curve.

What is DevSecOps?

DevSecOpsv2 01

DevSecOps is an extension of the DevOps model that includes security in all phases of the System Development Lifecycle. DevOps is a team approach with no silos between development and operations; team members with skills across the system development and operations functions work together on the same teams, creating products that are quickly and frequently deployed to production to achieve business value for the customer.

In a DevOps model, the changes to the product happens quickly and the focus is on functionality, so important security reviews, identification of defects, and remediation can be missed or pushed to the latter part of the delivery cycle. Additionally, product changes are happening so fast (multiple deployments per week, or even daily), so it can be difficult for InfoSec team members to assess and provide feedback on vulnerabilities and needed changes.

DevSecOps integrates the security team with development and operations team members, so the entire team can produce and own one design that meets the functional needs and incorporates the security configuration and design elements. By including the security team in the early creation of the product and the updates, user stories can include security needs as part of the design rather than adding security after the product design has been completed and construction is underway or even completed.

The inclusion of the security team in the entire development cycle is referred to as shifting the security work “left” into earlier phases of the SDLC where changes are easier and cheaper and security, development, and test team members can work closely together to build one product that is functional and secure.

Improving Security with DevSecOps

Improving product and application security by integrating the InfoSec team into the design, production, and maintenance of applications is an important goal that is on the minds of CISOs of many organizations, and, more generally, technology teams. Even users in the wake of cybersecurity attacks against industries, services, and infrastructure in 2021 have become more aware of how necessary security is.

Integrating security into the application lifecycle brings a “security focus” to the entire organization and encourages building security skills and behaviors for all team members involved with creating the company’s product. The DevSecOps approach was described clearly by the State of DevOps Report :

“Integrating security at every stage of the software delivery lifecycle is more than just shifting security checks to the left. Security integration requires a completely different approach, one that emphasizes cross-team collaboration and empowers delivery teams to autonomously prevent, discover and remediate security issues. Breaking down knowledge silos between teams, and collaborating to improve security both raise overall awareness of security concerns, making it more likely that everyone — even those outside the security team — will adopt known patterns for security protection”

Barriers to DevSecOps Adoption

DevSecOps does improve security, but one of the biggest challenges in embracing a DevSecOps approach is the shortage of InfoSec personnel and security knowledge and skills on the DevOps team. The DevOps team usually lacks deep expertise in vulnerabilities, attack vectors, and security remediation patterns. However, bringing security personnel into all phases of the SDLC breaks down the barriers between the development and security team and encourages collaboration and knowledge sharing.

As this process unfolds and matures, the security team learns more about the applications being built and the DevOps team learns from the security team common security factors to look for and how to address them. Over time, the DevOps team integrates those skills and methods to the design and build of applications, building security awareness and skills.

Collaboration between Security and DevOps personnel:

  • Builds awareness
    • Fosters a cohesive environment
    • Creates software that delights users
    • Provides secure software

As the DevSecOps culture develops, the security focus of the delivery team is instilled into product owners, managers, sponsors, and the entire organization.

DevSecOps Adoption Curve

The DevSecOps approach brings a security focus across the organization and helps the team build software that is secure intentionally by design and avoids the problems and costs due to adding security late in the SDLC. The adoption of DevSecOps moves the organization towards what is sometimes called a secure software development lifecycle, where security is an essential component of the phases and there is a focus on finding security defects in addition to traditional defects throughout the development cycle.

Moving to DevSecOps is a multi-year endeavor for most organizations, partially because it is a balance between speed of release for innovation and business outcomes and building in cybersecurity best practices. There is constant pressure to innovate and deliver new features faster. Security personnel have an uphill battle convincing stakeholders to give equal weight to security features and vulnerabilities. Additionally, integrating security into all phases of the software lifecycle involves tooling, automation, and cultural elements. Integrating all of these factors is hard. The good news is that teams and organizations understand the value of DevSecOps and are introducing DevSecOps to their teams.

  1. Gartner reported in 2017 that DevSecOps was used by 15% of respondents, but those same respondents expected to make a significant investment in DevSecOps in the next two years.
  2. In 2020, the Synopsys Cybersecurity Research Center (CyRC) and Censuswide, an international market research consultancy, conducted a survey of DevSecOps practitioners, which found that 63% of respondents were using DevSecOps across their business or working toward maturity in their DevSecOps processes.
  3. GitLab’s 2021 Survey, “A maturing DevSecOps landscape,” found almost 36% of teams were using DevOps/DevSecOps.

These surveys all have their own viewpoints and different survey methodologies and respondents, but collectively they paint a picture of accelerating adoption of DevSecOps. Teams are using DevSecOps to deliver higher quality code that is more frequently scanned, analyzed, and tested for security vulnerabilities. Teams are continuing to ship code frequently, oftentimes multiple times per day.

Mindful Change

Security and innovation are not easy to integrate. Application design, development, testing, and operations aren’t easy either, but we know that we need new features quickly, even with the increase in cyber bad actors. Our applications must be delivered quickly and as secure as possible. DevSecOps is the nexus of application development culture, tools, and skills and is a promising approach to bring security teams and DevOps teams together to build security mindfulness for the entire organization.