IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is DevSecOps and why is it important?

This new flavour of DevOps is helping organisations rapidly implement security by design

To stand out against their competition, many organisations seek to roll out software updates more quickly and frequently so that they’re constantly responding to customer needs. In recent years, this has pushed forward the DevOps movement, which conjoins teams from software development and IT operations to streamline software and app creation and quickly implement updates or patches.

As efficient as DevOps is, however, it can be lacking on the security front. If you don’t build security into your software and apps from the start, you open your organisation up to a whole host of problems.

Security by design

DevSecOps is a solution to this, in which security is built into the development lifecycle. Security decisions are made at the same time as development and operational decisions, incorporating security into applications from the beginning rather than hastily applying it when issues arise.

The imperative for privacy and security by design has grown in urgency following the introduction of GDPR in 2018, which brought far tougher data protection measures and a greater emphasis on responsibility and transparency. According to Geoff Parkhurst, CTO of Vouchercloud, the risk to companies’ bottom lines has pressed them to implement security practices as high up the chain as possible,

Through a DevSecOps framework, security becomes a natural component of the development process. It’s also easier and cheaper for security measures to be built into the software from the beginning, and, by pre-empting breaches down the line, you achieve both improved security and customer satisfaction.

Keeping ahead of the criminals

Any company that wants to boost efficiencies and build secure software should use DevSecOps advises Derek Weeks, co-founder of the online community All Day DevOps. He notes that in the past decade the time between a vulnerability announcement and its exploits appearing in the wild have been crunched from 45 days to just three.

“For example, with the last major Struts vulnerability, multiple breaches occurred within three days of the vulnerability announcement at organisations including Equifax, Okinawa Power, GMO Payment Gateway and Canada Statistics. Teams that cannot deploy security updates within this timescale find themselves at significantly more risk of successful adversarial attacks.” 

In Sonatype’s DevSecOps Community Survey, which asked nearly 6,000 IT professionals why they have implemented DevSecOps practices, Kayla Altepeter, a senior staff engineer at Merrill Corporation, said: “Security is important to us, yet if we take a traditional security approach our speed of development is severely slowed down. We need to be secure and move fast”.

This perfectly captures why DevSecOps matters, says Weeks. “It’s not just about automating. It’s about automating faster than evil.”

Implementing DevSecOps also gives businesses a chance to reassess who has access to what systems and information. As Schoenfeld points out, “despite how convenient it may be, it’s a really bad idea to allow everyone complete access to everything”. Companies need to use DevSecOps to limit access across the company so that only people who need privilege across the system can use it. 

“This way enterprises can reduce the number of potential breaches, creating a more robust cyber security position,” he notes. 

Downsides to DevSecOps?

Security does need to be built-in as part of the culture, but although DevSecOps certainly points business leaders in the right direction, Parkhurst believes it still needs time to reach maturity. He’s concerned that it’s become a buzzword, which could mean it turns into a box-ticking exercise allowing businesses to say they’re “doing” DevSecOps without it actually implementing it correctly.

“What I’ve seen – and this is a risk with any new buzzword-led process – is half-hearted adoption. The risk is that, instead of shifting security left, businesses just shift the person responsible for the security to the left…That’s always the risk with the latest ‘big thing’, that some well-meaning project manager or tech leader will try to push changes through without fully considering the ecosystem. 

“The result is a security specialist now sitting closer to the start of the process. That’s certainly a slight benefit but the overall perception of security as a big stop sign for developers will still be a reality. It solves nothing.” 

Culture change challenges 

Then there’s the challenge of DevSecOps adoption, as this requires a complete cultural change within the business. This can be particularly difficult if companies already have a rigid development process and different security procedures in place, notes Schoenfeld.

Related Resource

The secure DevOps imperative

Research-based best practices

Download now

Liz Rice, chair of the Cloud Native Computing Foundation’s (CNCF) Technical Oversight Committee, advises that it’s important to empower employees and encourage them to adopt tools and processes that support their new style of working, especially in security, where the traditional tools are no longer sufficient. She points out that companies adopting DevSecOps must invest in significant education for staff, as these new tools and processes will also require their users to learn new skills

“The transition is not simply a question of flipping a switch,” agrees Steven Furnell, a senior member of the IEEE and associate dean and professor of Information Security at the University of Plymouth. “It requires additional effort, such as ensuring staff are fully skilled or trained, and equipped with the necessary tools. As such it will require a culture change. As with many aspects of security there’s a price to pay but it should be seen as an investment rather than an overhead.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022