Mission impossible? The benefits of standardizing on DevSecOps
- By Altaz Valani
- Jul 25, 2019
One is users’ demand for frequently updated applications. In the private sector, users have become accustomed to new software versions being released on a near-daily basis, and that expectation is spilling over into the government sector. Gone are the days of yearly or even monthly releases. Instead, developers must become adept at agile, iterative code creation in order to keep up with users’ needs and keep pace with mission goals.
The other trend is the unprecedented need for security. With the growing barrage of cyberthreats, it’s never been more important that application developers put security at the top of their lists. They must stay up-to-date on the latest exploits and learn how to defend against them.
Herein lies the conflict: How do government IT organizations take a rapid, iterative approach to application development and also ensure that applications are -- and continue to be -- adequately secured? Making time for security best practices, such as threat modeling and penetration testing, in the application development process is difficult and requires specific skills and ample time. How can agencies speed up that process without sacrificing security?
One approach to solving this issue is DevSecOps (development+security+operations), the practice of integrating security into application development. It brings together development and operations teams to accelerate secure code creation and encompasses the integrated tools, services and standards that enable the development, deployment and operation of secure applications.
Because of the meaningful benefits that DevSecOps promises -- applications that are developed both rapidly and securely -- adoption expectations are high. A Gartner study predicts that by 2021, DevSecOps processes will be used by 80% of development teams, growing from just 15% in 2017.
While DevSecOps sounds like a straightforward solution, it can be difficult to implement and challenging for key stakeholders to accept. For developers accustomed to traditional waterfall methodology, moving to a continuous development process often requires new tools and services, training, and an understanding that the software development cycle is no longer a linear process. It also means application security is not just the responsibility of the security team. Instead of building code and then handing it over to the security team late in the life cycle to inspect for vulnerabilities, development teams must now consider the security of the code from the start.
Many of these challenges can be addressed by proper planning and governance. To be successful with a DevSecOps initiative, agencies should define the roles, processes and controls needed at every level to facilitate security requirements throughout the application development life cycle. As with any strategic program, DevSecOps must be aligned to mission goals and include business objectives like risk management, cybersecurity, resilience and compliance.
Perhaps most importantly, successful DevSecOps adoption requires a cultural shift. Agency developers accustomed to taking a methodical, linear approach to building security-first applications must learn to embrace iterative practices that continuously improve code to thwart the latest threats. And those whose priority is to build applications quickly at any cost will need to consider security to be an equally important goal. It also requires departments that typically don’t work together -- IT staff, operations, planning, security expects, subject-matter experts -- to combine their skills and experience to be successful.
DevSecOps in the real world
In government, IT teams must be able to deploy fixes that address emerging threats as fast as possible. This is where DevSecOps comes in.
Take the example of the Defense Department, where an initiative is underway to implement DevSecOps. The DOD Enterprise DevSecOps Initiative is harnessing tools and services that support this approach to software development and focusing on developing standards and metrics for training and education. With DevSecOps, warfighters could more quickly get new system features that can help them in the field, and IT departments could rapidly deploy fixes to emerging threats, making the U.S. more competitive in cyberwarfare.
It takes considerable time and resources for the necessary research, testing and procurement to successfully standardize on DevSecOps technology stacks so that everything integrates properly and installs quickly. It helps to have a centralized group that standardizes a technology stack and facilitates deployment (e.g., via container orchestration) so that all developers can use the same toolkit, without wasting time, money and other resources on duplicate efforts.
DevSecOps is one way to enable applications that are both secure and feature-rich. As this approach begins to take hold and once-separate teams start to collaborate, developers will start thinking of security as a normal part of software construction. Users will benefit from secure applications that can defend against the latest cyberthreats and help deliver on mission goals.
Altaz Valani is the research director at Security Compass.