While SecDevOps – the integration of Security into Development processes – has grown in prominence as an extension of the broader DevSecOps movement, despite recognizing the use of better integrated and automated application security as a top 3 priority, companies have put its implementation on the backburner with only 20% embedding the practices in Development teams as of 2019 – up just 5% from 2017.
However, the rapid move to remote work due to COVID-19 has highlighted the need for SecDevOps for successful Application Security deployment and overall health of the Development release cycle, as part of accelerated transitions to the cloud to complete many DevOps initiatives. Especially as enterprises recognize they prefer a shared Application Security model between Security and Development, a lack of appropriate automation has caused many Development teams to feel strained trying to own the day-to-day management of Application Security in their workflow – a challenge only compounded by the rapid move to work-from-home due to COVID-19.
Development Is Getting Busier
After the novel coronavirus (COVID-19) became mainstream, it seemed like everything slowed to a halt – everything except for Development. Constantly in motion to help their companies and customers meet the new normal, GitHub reports that developer activity has been at the same or higher levels as pre-COVID. That means they’re shipping more code to meet the rapidly changing demands, but without well integrated AppSec can unintentionally introduce risk to the business. You don’t have to look further than the tool that became part of everybody’s daily lexicon, to see how shipping quickly without SecDevOps can have unintentional results.
SecDevOps helps AppSec and DevOps teams manage fluctuations in Development activity as its process automation ensures consistent deployment of Application Security policies to keep teams in sync to prevent bottlenecks – and when conflicts do arise, streamlines the remediation and acceptance workflow. This also means that they don’t have to rely on the lengthy cushions between commit and release that Development and Security teams have often used to “fit” security into the release cycle, meaning they can get to market with new features faster.
Work Cadence Has Shifted
As teams have shifted away from the hustle and bustle of office buildings and towards kitchen tables, armchairs or spare bedrooms, teams have been forced to manage their Development cadence in new ways. The fact that the standard 9-5 work schedule is off the table means that you can’t rely on the “human” factor of AppSec anymore. “What are the policies that should be applied?” “Does this pass AppSec controls to ship?” Are just some of the questions that could be asked and answered in the course of a regular workday – but with employees settling into new schedules that allow them to be most productive in their personal and professional lives, waiting for these responses create bottlenecks or even worse, cause people to work around the application security standards.
SecDevOps gives Development teams the autonomy to manage AppSec in their workflow so that they don’t have to worry about being held up by being on a different schedule than somebody else – whether looking to find the right policy to implement for their project or understanding what vulnerabilities need to be remediated before the code can ship (and which ones can wait). This allows Project Managers to have a real-time line of sight into their security tasks and issues impacting their project, and understand the timelines on which they need to be completed without having to track down an AppSec Manager. And when the AppSec manager comes online, she immediately understands what the priority tasks are to make sure the applications are up to their security standards and help the Development team keep shipping.
Policy Deployment While Working Remote
When the world shifted from cubicles to kitchen tables, it led to a mass exodus of AppSec Policies overnight. But it was not as simple as just deploying new ones – without SecDevOps, Security and Development teams had no way to:
- Identify and which projects were impacted by policy changes and notify stakeholders
- Understand how the changes impacted their overall Application Security health
- Continuously monitor new policy coverage and efficacy
With SecDevOps Application Security starts at the beginning – design, which not only informs Development teams what the right policies are, but when there are policy changes, keeps them up-to-date on the latest standards. Furthermore, this means that AppSec managers aren’t chasing down PMs to inform them of the changes, and can spend their time helping the teams meet the new standards to prevent new risk being introduced to the business, without disrupting Development velocity.
Real Bottom-line ROI
With the business disruption following COVID-19, enterprises across all industries are looking for ways to recapture lost dollars. This means doing more with what they already have: their employees and their tools. Without end-to-end integration into the SDLC, AppSec deployments often drag on productivity and struggle to demonstrate hard ROI. With SecDevOps, not only can Development teams capture productivity gains by proactively managing security as part of their workflow – rather than waiting until code is already in production, which can cost up to 100x more. Additionally, Project Managers get predictive analytics to plan for potential bottlenecks to de-risk project delivery.
The productivity gains for the Security teams are great as well, as SecDevOps enables their resources to keep their focus on where their help is needed most, with visibility into policy coverage and efficacy, as well as the ability to easily update policies and know they’ll be rolled out to the right projects in this constantly evolving environment of remote work. It also ensures they get full value of the tools they’ve invested in with consistent deployment of their scanning schedule, rather than leaving them as shelfware.
Burnout Is Real
The good thing about having to work from home is that you can work whenever you want. But since there is a surplus of work to do at the moment and sometimes less team members to do it, that means that teams are being overwhelmed at times with having to work from sunup to sundown. Although having a surplus of work can signal more job security for some, that façade can slowly corrode over time to give way to burnout when there is no end in sight to the workload.
Burnout is always a big concern with Development and Security professionals, and one of the things that is a big contributor to it is working on non-functional requirements (e.g. boring clean up tasks). SecDevOps enables AppSec Managers to spend their time on strategic tasks like improving policy efficacy and coverage, and being a strategic advisor to Development teams, rather than sorting through endless security test results and delivering bad news to Dev teams. And for Dev teams, better security integration into their pipeline means no surprises when it’s time to ship and better management of their security debt, freeing up time to work on the innovative features that drive the product and company forward.
Preparing For A Remote Work Future With SecDevOps
As companies prepare for on-going remote work, SecDevOps prevents business disruption due to AppSec – no matter how disrupted the business is. SecDevOps natively handles remote work as its focus on process automation ensures the consistent deployment of Application Security in the Development cycle and should be a part of any initiative to support the transition to distributed Development teams.
Once the merger of AppSec and DevOps teams is complete and the base layer of processes is in place, organizations can become much more agile and efficient without sacrificing security vulnerabilities. This future is one that many organizations can adapt to if they utilize the many positives of SecDevOps to start collaborating in a whole new (remote) way moving forward. In this way, SecDevOps allows teams the ability to keep pushing boundaries in their industry even when boundaries to physical collaboration are clearly a part of the short term equation.