The Evolving Narrative of Moving from DevOps to DevSecOps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
10/9/2020
07:00 AM
Ayhan Tek, VP of Information Security, Cyber Electra
Ayhan Tek, VP of Information Security, Cyber Electra
Commentary
50%
50%

The Evolving Narrative of Moving from DevOps to DevSecOps

We need an integrated development approach that is automated to create the right balance between speed and risk to avoid costly rework and business slowdown.

Today, we hear a lot about DevOps, automation, and speed. This is expressed in everything from the tools used to automate, the metrics gathered to deliver increasingly faster, and the emphasis on lightweight governance to deliver in a lean way. Taking a step back, however, we still see security issues prevalent in our software.

There is a shift in the industry narrative to align the discussion on “speed only” to a broader discussion on why this is not enough to satisfy the needs of the business.

Image: AndSus - stock.adobe.com
Image: AndSus - stock.adobe.com

To be clear at the outset, it makes sense to automate repeatable tasks for speed. Otherwise, you have to do tasks manually, which takes time and is error prone. We have learned from experience that automation can go a long way toward improving consistency and quality. For example, it used to take weeks or months to manually provision and deploy a server. Today, we can do it significantly faster and with greater consistency. So naturally, most organizations try to emphasize development automation in an effort to reduce the cost of rework and focus their people on more value-added activities.

Now a similar evolution needs to happen in the security domain. Without detracting from the value that security brings to the table around business risk management, we need to balance security activities against a well-oiled development pipeline that emphasizes automation. Speed can be a great asset but is even greater when it's balanced with safety and security. This avoids the pitfall of having to fix security issues once deployed into a production environment. Taking the time to fix those production security issues takes time away from deploying new features for the business. The net result is an inadequate delivery pipeline from the business point of view.

Security, therefore, must be inserted at each and every stage of the software development life cycle (SDLC). We need to test early and often. For example, in a change cycle, we need to assess the risk of the changes against security, privacy, and regulatory impact.

In the past, many organizations made the mistake when adopting DevOps to focus the benefits exclusively from a development speed perspective without due consideration of a balance against business needs like risk and security. Today, when we see data and security breaches, it’s clear that our processes focused on development speed are at fault if we accept that quality artifacts are an output based on the strength and quality of our processes.

Therefore, we need an integrated balanced development approach that is automated to create the right balance between speed and risk to avoid costly rework and business slowdown.

Achieving a balanced development approach

Looking back, during the early days of DevOps, there were many challenges in bringing development and operations together because developers wanted to move fast and change the code while operations wanted stability and infrequent changes. Today, we are witnessing a similar change pattern as we transform from DevOps to DevSecOps. Many security teams favor stability and infrequent change. Security checks take longer with this mindset and lead to repetitive security activities such as security testing, risk assessment, and environment certification. These processes are not integrated into the DevOps processes. Rather, they are conducted out of band, and it can be difficult to inject security activities in a fast-moving pipeline. Instead, these security activities need to be baked into the automated SDLC process and radiate metrics that are relevant to security stakeholders.

Injecting security to achieve balanced development automation does not imply reinventing the wheel. There are good tools already in place to help you execute DevOps efficiently. There are also existing governance and metrics in place to help key people make informed decisions. You need to embed security into each and every phase of SDLC activities, and the more you shift to the left, the more benefits that you will see.

We also need to teach and educate people that security is a joint effort and it's everyone's responsibility to achieve balanced development automation. It's not only the responsibility of security teams. Security cannot be isolated from developers and other stakeholders, where they run a security tool stack in an isolated manner. We need to inject security automation at every stage of the SDLC from threat modeling to code scanning, testing, and operations.

Measuring success

The industry narrative around DevOps development automation is shifting to a balanced development automation perspective as we start to inject security, risk, and compliance requirements into software development. This means that, just as we did with DevOps, we need to have a cross-functional matrix of tradeoffs that articulate the right balance required to be both fast and safe. This needs to be measured so that every set of processes across these teams is contributing tangible value toward balanced development. And therein lies the ultimate business value.

Ayhan Tek is the VP of information security at Cyber Electra. He is a seasoned information security professional specialized in risk management, security architecture, and application security domains with over 20 years of experience. Ayhan is active with ISACA, ISC2, IEEE and other professional organizations and provides cyber security events and trainings in North America. Ayhan holds CISSP, CISM, TOGAF, SOA, ITIL, Oracle, IBM and many other professional certifications.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
News
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll