Tech in Motion recently brought together leaders of the DevSecOps industry to discuss this rapidly growing sector and its impact on the tech industry at large at its latest event: DevSecOps: The Future of DevOps with Security. Joining Tech in Motion at the event were Moderator Jason Baum, Director of Member Experience at DevOps Institute | Host of the Humans of DevOps Podcast, and panelists Mandi Walls, DevOps Advocate at PagerDuty; Jamal Walsh, Solutions Architect at PHMG; and Kapil Bareja, Global Technical Leader at Saviynt.
Read some of their key insights below and then watch the full webinar to hear the panel's in-depth comments: DevSecOps: The Future of DevOps and Security.
DevSecOps in 2022: 6 Key Insights to Know
Cybercrime on the Rise
In the last few years, cybercrime has made a significant shift from targeting individuals to small businesses, major corporations, governments, and critical infrastructures. Interpol has reported that when COVID 19 hit in 2020, its member countries reported a 60% rise in phishing and scam fraud.
This has occurred in conjunction with the rise in popularity of digital transformations, cloud technologies, AI, automation, and other critical digital technologies, which are often the targets of such attacks.
As security breaches have increased, more and more companies want to adopt countermeasures by making the security phase of software development easier, faster, and more robust.
What is DevSecOps and Why is it So Important?
In a world where development cycles have been shortened from years to weeks for many projects, it is no longer feasible to have application and infrastructure security worked on at the very end of the project. There are too many risks and dangers in waiting this long.
DevSecOps is the evolution of DevOps, and as its name implies involves the integration of security from the beginning, not the end of the dev cycle.
Baum noted that having security worked on at the start of the development cycle, security is built into the app and not just a gate surrounding it. He continued, talking about how adding the “Sec” into the development process doesn’t just mean adding a security person to your team but also having developers code with security in mind. Additionally, Baum recommended those with a security background be heard throughout the development process and should always be part of any risk-benefit analysis.
By evolving teams from DevOps to DevSecOps, companies can make projects more efficient in the long term for development and safer for their customers when launched.
How Security fits into the DevOps landscape
Walsh said that security should be embedded from the moment you think about developing some software. “The old way of doing things was developing something, getting it live, and then doing test and remediation once you got it live. We now know that is too late in the process. That’s why this concept of Shift Left has evolved.”
He added that companies should not take their eyes off the security ball even after launch. “Cyber crimes happen on websites as BOTs get more advanced, so analyzing your website is just as important as shifting left.”
Bareja agreed and said that there have been a lot of security breaches and incidents after cloud migrations have been completed.
The Need to Eliminate Silos
Walsh dismissed the idea of some organizations promoting siloed DevSecOps teams. “That goes against the whole principle of DevOps. It’s really important to embed the knowledge and skills within the multidisciplinary teams. You cannot just spin up a DevSecOps team and assume everything is going to be secure. There is so much more to it than that,” he said.
He noted that the extra workload is something to be concerned with. “There is so much engineers have to take on these days. From toolsets, languages, and security the cognitive load is absolutely immense. Leaders need to bring people in to support those teams or give those people “space” to absorb the new tools and learn the new skills. If people aren’t given the space to do that there is no way you will succeed.”
Bareja agreed. “No question that adding in security requirements means increasing technical debt. The cognitive overload aspect is very important."
Walls said security teams need to take on the role of coaches and internal consultants. “I think there is a real shift there from security teams being there to certify application before it goes into production, to being more of an internal consultant helping application development teams with secure coding practices with libraries, with good container practices, with scanning software, whatever practices help them get into production faster in an approved manner,” she said.
She noted that using Compliance as Code techniques will help magnify the impact of the security team and validate that code is being built correctly.
Building a DevSecOps Culture
Walsh added that companies need to build an “Agile-like” culture of having that security mindset in every step. “It’s about being lean and nimble. There are things like threat modeling that you can do really early on in designs. As soon as you get an idea, you can identify threats and do risk analysis around those threats. So, you mitigate them before you even write a line of code, “he said.
Bareja noted that collaboration, one of the pillars of Agile culture, is important here also. “People, processes, governance, and technology. Teams need to develop a vision for intersecting roles and shared responsibility. Their journey goes on to address deficiencies and provide visibility.”
Walls added that teams need to understand the adoption of operational requirements into the app dev process. “What does it mean to have this code I have written be performant when it is in front of a customer. Now we are encompassing all the user needs. They are just assuming it will be secure and will be disappointed when it is not. Worse, your company’s security breach will be featured on the front page of the New York Times,” she said.
Maintaining Security is a Never-ending Battle
Walsh said it is shortsighted to think you can just put some tools in place and you are now practicing DevSecOps and you can complete DevSecOps. “You can never complete DevSecOps. You need to develop a Kaizen mindset, with continuous improvement built in Bad actors are going to continuously change their game. You have to continuously improve too.”
Walls agreed. “So much of baseline security is like personal hygiene,” she said. “You are not going to brush your teeth today, and just say you don’t have to do it anymore. Keeping up with new packages and new vulnerabilities is a mandatory baseline.”
These are only a few of the highlights of Tech in Motion’s latest event on DevSecOps, to watch the full webinar click here, and make sure to bookmark Tech in Motion’s Event Page to stay up to date on the latest webinars!