At this point, the concept of DevOps should be familiar to everyone. But with the rise of cybersecurity attacks, organizations have seen the need to incorporate security into the mix. Thus, the idea of DevSecOps.
Though the concept and practices were created with the best intentions, the number of cybersecurity attacks continues to rise, which begs the question: Has DevSecOps succeeded in what it set out to achieve?
In order to answer that question, we need to define what DevSecOps truly means. According to John Martinez, vice president of customer solutions at Evident.io, DevSecOps comes down to two things. Those are, embedding security best practices and automating those best practices within DevOps teams and organizations, he said.
It also means embedding automation, DevOps practices, and Agile practices into SecOps, Martinez explained.
“I will say I think we’re early on in the DevSecOps movement of practices that are being implemented,” said Derek Weeks, vice president and DevOps advocate at Sonatype and co-founder of the All Day DevOps virtual conference. According to him, there are a number of organizations that have already implemented security into DevOps and have been successful in that implementation.
“I think with the organizations that have attempted to do it, they are seeing early successes and are happy with that. The vast majority of the market has not gotten their feet wet with DevSecOps practices yet,” Weeks continued.
Martinez claimed that from a survey of Evident.io’s customers, DevSecOps has been successful, but it is not without “its set of pain and tribulations.” He further explained that adopting DevSecOps is not an easy task unless the mindset is already there or there’s a management mandate in the organization.
According to Martinez, most of the pain points associated with DevSecOps are cultural. “DevOps is responsible for deploying product at speed,” said Martinez. “Security is responsible for managing security risk. Because of those conflicting mandates, DevOps usually sees security as a hindrance to speed while security usually sees DevOps as unruly and careless. Merging those competing interests is a difficult task for any organization to master, but given cross-pollination, DevSecOps can be achieved.”
In order to realize the full potential of DevSecOps, organizations should embrace, encourage, and mandate the change, said Martinez. According to Martinez, organizations need to include it as a part of normal operations. “The approach is similar to how organizations have adopted DevOps change: be intentional about blurring the lines,” he said.
“Before security was baked into DevOps or DevOps was in its own silo, the thoughts around security and the practices were very security-centric, they were not developer-centric,” Weeks explained. “They were very much built onto the development lifecycle versus built into the development life cycle. Security was seen as cops or police versus a partner that is collaborating with me along the way.”
Weeks explained that in order to successfully implement DevSecOps, developers need to be trained to be security people, not the other way around. Having developers in a security role allows them to have empathy for the development teams and the code that those teams build.
“I think this is part of how DevSecOps has evolved,” Week said. “We didn’t try to take diehard security professionals and convert them into DevSecOps. Converting developers into security folks does have a winning pattern associated with it for different organizations that have attempted it.”
The culture of DevSecOps has evolved since its creation, Martinez said. However, DevOps practitioners seem to only want to the embed security and compliance automation that they need to. Organizations need to get over the hurdle of just embedding security because of compliance reasons.
Martinez believes that DevSecOps has evolved to the point where teams are no longer just rolling their eyes when a compliance or security person comes around, but are actually trying to take on the challenge of making security part of their daily routine and not letting it slow them down in their other work..
“I think the DevOps side of DevSecOps has definitely been much faster to respond and I think we’re starting to see, at least on our side, the cross-pollination on the security side where a lot of the agile practices are starting to fit over on the SecOps side,” said Martinez.
As companies get over the cultural challenges of blurring the lines between DevOps and SecOps, Martinez thinks that security being embedded into the DevOps toolchain “will become table stakes.”
Martinez predicts that vendors in the DevOps pipeline and security players will embrace DevSecOps, releasing tools and services that further the notion of security practices as second nature. He said that this idea is already happening in the industry in regards to compliance and security automation.
He also predicts that SecOps will see an influx of automation requirements being built into the discipline. He thinks that organizations will opt for an embedded DevSecOps role, similar to how DevOps became a role as opposed to a method.
“I think where it’s still being evolved is that just because an application is securely coded from the beginning, it doesn’t mean that that application is not going to become vulnerable or that there’s not going to be vulnerabilities discovered in it in the future,” Weeks said. “Once the applications that are developed securely move into production, how do we keep them secure over time? I know there are answers to that today. I think that’s going to be where we see the most evolution of DevSecOps and I think there are technologies like RASP (Runtime Application Self-Protection) that will come in that will help the applications in real time begin to mend themselves.”
Weeks predicted that another area that will come into play is the idea of chaos security, which means introducing continuous change into an environment to determine whether your security can keep pace with those changes. “We’re still in the very, very early days of applying chaos engineering and chaos security into DevSecOps, especially where it pertains to what’s running in production,” Weeks said.