Why DevSecOps Is Good Business
Bjoern Zinssmeister is the founder and CEO of Templarbit, a security intelligence company that helps businesses establish a data-driven approach to AppSec. He shares his experience and thoughts about the future of DevSecOps in this blog.
Back in 2002 when I was a (very) junior programmer at a German enterprise software company I was lucky enough to be part of a small team that was building what you would now call a SaaS app. Up until now, the company had made all their profits by selling desktop software written in a language most people likely have never heard of: FoxPro. But instead of spending my days debugging FoxPro code, I was now green fielding JAVA web services.
Today, I realize that the company was ahead of its time because it had the foresight to realize that the future was web applications. But back then, this new way of building and shipping software was both exciting and scary. Many things weren’t figured out and one of the immediate concerns was security. The web wasn’t considered a terribly safe place and just a few years earlier, in 1998, we had the first public discussions of an SQL injection on the web, demonstrating how vulnerable a web-based system can be.
Because of this, we made an effort to ship secure code by establishing a security review process at the end of a release—a very isolated process that sometimes would uncover structural flaws that would set back development by weeks or months, leading to massive amounts of frustration.
I am glad things have changed since. Today, one of the most exciting trends that I have seen come and stay is DevOps, and its new iteration, “DevSecOps,” involves bringing security earlier into the application development lifecycle. Security teams are now encouraged to engage with developers earlier than before, allowing for a much tighter feedback loop. The primary goal of DevSecOps is to ensure that security is part of the development cycle and not just bolted on at the end as an afterthought.
Benefits of DevSecOps
With DevSecOps, dev and security teams are able to establish a shared view and language for evaluating risk. This approach also allows an organization to expand the radius of who is having a conversation about security rather than confining important decisions into the bubble of the security team.
Here are the three key benefits I think have the strongest impact for organizations when adopting a DevSecOps process:
- Speed and agility will increase, leading to happier customers.
Software has end users and those users want a great experience, new features, and integrations. They also want bugs to be fixed quickly. All this is now possible while also building a more secure product. With security as part of the Agile team, organizations can now spot possible vulnerabilities early and save developers from marching down a fragile path.
- Security becomes a team sport.
When security is integrated into the software development process, it fosters a culture where everyone starts to consider risk vs. value; in other words, it will make security a shared responsibility. Engineers will begin to get into the habit of analyzing a new feature from a security perspective during the planning phase. Product managers will encourage and will often even bake in a conversation around the possible security impact a change to the application will bring. When more people start to think about security early on, organizations will become better at shipping more secure software by default.
- You will actively look for automation.
A big part of DevSecOps is to leverage security automation to help achieve speed and continuous coverage. The DevOps toolchain provides the perfect gateway into a more automated security setup. When security is viewed as a natural byproduct of the development workflow, you will naturally want to figure out how to set it up so that every commit is scanned for possible vulnerabilities, along with automated audits of third-party libraries. Beautiful.
DevSecOps has many other benefits, but enhancing a positive customer experience, fostering a security-minded culture internally, and active pushing automation for security tasks are some of the most impactful concepts DevSecOps can unlock for a company.
Security Tech for DevOps
The journey of bringing security closer to the DevOps flow can start in many ways, but often it begins with the introduction of new technologies. These technologies are the glue between people and processes, and they also assist manual security review efforts while bringing visibility and performance indicators back to the team. I often recommend companies to start looking at the following technologies as their DevSecOps foundation:
- Automated static application security testing (SAST)
- Open source dependency monitoring
- Runtime application security
- Real-time alerts for high-severity security events
With these four pillars in place, you can establish a basic foundation for DevSecOps that takes into account an app’s entire lifecycle. Firing off a static application security scan when new code is committed is a great step toward catching common issues early. Expanding this to also check for known vulnerabilities in open source dependencies is the natural next step.
Once the release gets promoted to production, make sure you have active monitoring and blocking capabilities with sufficient reporting. Ideally, this runtime monitoring will tie in to your real-time alerts to notify people who can act on the alerts. After all, having the right person instantly know about a high-severity security issue is a very desirable setup, one that emphasizes focus on your customers.
The future for DevSecOps is bright and establishing proactive security that focuses on the customer experience and anticipates data breaches rather than reacting to one is a shift many enterprises are investing in.
The benefits that DevSecOps delivers to these companies are numerous, including cost reduction, speed of delivery, executing compliance at scale, and the ability to foster a security mindset. Removing barriers between development, security, and operations continues to be an ongoing evolution, and new tools to help achieve this more effectively continue to emerge.
Over time, we will likely see tighter integration and orchestration between different security tools that are native to the DevOps toolchain. Runtime security vendors are embracing integrations with Slack, PagerDuty, and other real-time notification tools, and I believe that these integrations will get deeper and are going to allow better insights to be delivered to the right person faster.
Check out the PagerDuty – Templarbit integration here.