Managing the software development lifecycle, aka SDLC, can be expensive in most organizations. It also presents a range of complex challenges that teams must manage throughout that cycle. These include timely delivery of quality code (no small challenge in and of itself), along with needs to accommodate customer input and requests, deliver a positive user experience, protect against risks and exposures, and ensure compliance with applicable data privacy and protection rules and regulations. Some of the biggest challenges come from managing communications, ensuring effective development flow, and avoiding unplanned and unwanted disruptions and do-overs. Anything that slows down development ultimately boosts costs and reduces its ROI. In large part this explains the impetus to integrate security into DevOps approaches and methods.
At a high level, DevOps is best understood as a set of methods, tools, and processes to integrate development, test and code deployment following continuous integration and continuous deployment (CI/CD) practices. Frequent builds are frequently tested and, when ready, frequently transition from the development arena intro production. What application security — the Sec part of DevSecOps — brings to this mix is continuous integration of security understanding and intelligence into design, build, test and maintenance cycles. Thus, security becomes a part of the process for the entire SDLC, and security factors play an especially important role in testing (thanks to integration and prioritization of current security intelligence) and maintenance (to make sure that code in production use is subject to continuous security monitoring and remediation, when it’s needed).
The real strength of DevOps is its powerful integration of design, test, deployment and maintenance efforts. DevSecOps is even more powerful, because it uses the same ongoing, consistent and tightly integrated approach to making sure that security issues are addressed throughout the SDLC as well as code quality, ongoing improvements in performance and reliability, enhancements to functions and capabilities, and rapid, agile development processes.
Security exposures and vulnerabilities expose organizations’ code to a variety of risks. These include (but are not limited to):
Simply put, by integrating security directly into their development processes, companies can avoid or mitigate the risks that too often results should they deploy vulnerable or unsecured application code into production. In fact, DevSecOps makes sure that security pervades the entire development lifecycle, ensuring that secure coding practices create more secure code to start with, and that threat and security intelligence catch and handle possible vulnerabilities and exposures before they can affect production code in the field. This means a substantial reduction in exposure to all of the risks described in the preceding list, all of which can incur substantial costs, both tangible and intangible, especially those that lead into legal or regulatory difficulties, or damage to brand(s) and reputation.
In fact, DevSecOps offers additional benefits above and beyond improved security posture and reduced exposure to risk. By integrating current security intelligence into development, test and delivery processes, DevSecOps prevents schedule disruptions that can arise when urgent vulnerabilities present and need immediate attention. DevSecOps assures they’ll be addressed in the next update cycle, and ensures that this will happen sooner, not later. DevSecOps also helps shorten the development cycle, and lets companies handle and integrate changes (including those driven by security, as well as other concerns) without slowing workflow.
Hardly any worthwhile software development occurs nowadays without involving third parties. This includes the companies that provide tools, platforms and services (e.g. GitHub, Slack, and so forth) as well as companies or open source organizations that provide building blocks for outright implementation (code frameworks and libraries, applications programming interfaces (APIs), middleware and so on). Companies need to manage risks that come through this supply chain (as recent major incidents involving SolarWinds and Microsoft Exchange clearly illustrate) as well as monitor and manage risks that third party components in their code can raise, whether proprietary or open source.
A recent Accenture study reports that “some of the most important risk management capabilities in which companies can invest are those that can provide greater visibility into operations” — a key component of DevSecOps. This means that companies should attend carefully to the development tools, services and platforms they consume, as well as the third-party software components they integrate into their code bases. In Accenture’s words this will allows them to “collect and analyze rich data across the supply chain so they can identify developments that could affect their operations and mobilize to respond when necessary.” Furthermore, Accenture also observes that “Companies should consider investing in capabilities that enable them to effectively monitor their supply chain in real time so they can identify potential threats and proactively respond before they become real problems…”
This kind of language not only shows the importance of keeping up with the overall supply chain, especially as it touches upon in-house development and code delivery. It also reinforces that the real value and contribution of the Sec part of DevSecOps comes from cultivating a security-first mindset.