What is DevSecOps and why is it important?

A glowing blue padlock disintegrates against a black background
(Image credit: Shutterstock)

To stand out against their competition, many organisations seek to roll out software updates more quickly and frequently so that they’re constantly responding to customer needs. In recent years, this has pushed forward the DevOps movement, which conjoins teams from software development and IT operations to streamline software and app creation and quickly implement updates or patches.

As efficient as DevOps is, however, it can be lacking on the security front. If you don’t build security into your software and apps from the start, you open your organisation up to a whole host of problems.

Security by design

DevSecOps is a solution to this, in which security is built into the development lifecycle. Security decisions are made at the same time as development and operational decisions, incorporating security into applications from the beginning rather than hastily applying it when issues arise.

The imperative for privacy and security by design has grown in urgency following the introduction of GDPR in 2018, which brought far tougher data protection measures and a greater emphasis on responsibility and transparency. According to Geoff Parkhurst, CTO of Vouchercloud, the risk to companies’ bottom lines has pressed them to implement security practices as high up the chain as possible,

Through a DevSecOps framework, security becomes a natural component of the development process. It’s also easier and cheaper for security measures to be built into the software from the beginning, and, by pre-empting breaches down the line, you achieve both improved security and customer satisfaction.

Keeping ahead of the criminals

Any company that wants to boost efficiencies and build secure software should use DevSecOps advises Derek Weeks, co-founder of the online community All Day DevOps. He notes that in the past decade the time between a vulnerability announcement and its exploits appearing in the wild have been crunched from 45 days to just three.

“For example, with the last major Struts vulnerability, multiple breaches occurred within three days of the vulnerability announcement at organisations including Equifax, Okinawa Power, GMO Payment Gateway and Canada Statistics. Teams that cannot deploy security updates within this timescale find themselves at significantly more risk of successful adversarial attacks.”

In Sonatype’s DevSecOps Community Survey, which asked nearly 6,000 IT professionals why they have implemented DevSecOps practices, Kayla Altepeter, a senior staff engineer at Merrill Corporation, said: “Security is important to us, yet if we take a traditional security approach our speed of development is severely slowed down. We need to be secure and move fast”.

This perfectly captures why DevSecOps matters, says Weeks. “It’s not just about automating. It’s about automating faster than evil.”

Implementing DevSecOps also gives businesses a chance to reassess who has access to what systems and information. As Schoenfeld points out, “despite how convenient it may be, it’s a really bad idea to allow everyone complete access to everything”. Companies need to use DevSecOps to limit access across the company so that only people who need privilege across the system can use it.

“This way enterprises can reduce the number of potential breaches, creating a more robust cyber security position,” he notes.

Downsides to DevSecOps?

Security does need to be built-in as part of the culture, but although DevSecOps certainly points business leaders in the right direction, Parkhurst believes it still needs time to reach maturity. He’s concerned that it’s become a buzzword, which could mean it turns into a box-ticking exercise allowing businesses to say they’re “doing” DevSecOps without it actually implementing it correctly.

“What I’ve seen – and this is a risk with any new buzzword-led process – is half-hearted adoption. The risk is that, instead of shifting security left, businesses just shift the person responsible for the security to the left…That’s always the risk with the latest ‘big thing’, that some well-meaning project manager or tech leader will try to push changes through without fully considering the ecosystem.

“The result is a security specialist now sitting closer to the start of the process. That’s certainly a slight benefit but the overall perception of security as a big stop sign for developers will still be a reality. It solves nothing.”

Culture change challenges

Then there’s the challenge of DevSecOps adoption, as this requires a complete cultural change within the business. This can be particularly difficult if companies already have a rigid development process and different security procedures in place, notes Schoenfeld.


The secure DevOps imperative

Research-based best practices


Liz Rice, chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee, advises that it’s important to empower employees and encourage them to adopt tools and processes that support their new style of working, especially in security, where the traditional tools are no longer sufficient. She points out that companies adopting DevSecOps must invest in significant education for staff, as these new tools and processes will also require their users to learn new skills.

“The transition is not simply a question of flipping a switch,” agrees Steven Furnell, a senior member of the IEEE and associate dean and professor of Information Security at the University of Plymouth. “It requires additional effort, such as ensuring staff are fully skilled or trained, and equipped with the necessary tools. As such it will require a culture change. As with many aspects of security there’s a price to pay but it should be seen as an investment rather than an overhead.”

Keri Allan

Keri Allan is a freelancer with 20 years of experience writing about technology and has written for publications including the Guardian, the Sunday Times, CIO, E&T and Arabian Computer News. She specialises in areas including the cloud, IoT, AI, machine learning and digital transformation.