Brittany Greenfield
January 27, 2021
This article first appeared on VMBlog at this link
The shift to remote work in 2020 moved digital transformations into high gear. However, as organizations eye the finish line, they realize the bottlenecks they removed to streamline development operations are just being replaced with new ones created due to security not being integrated into their workflows. 2021 will put SecDevOps at the top of every organization’s must-do to realize the full benefits of their digital transformation.
By automating their application security program in tandem with the existing development workflow, enterprises will realize that secure development operations are not just about reducing cyber-risk, but overall business risk. This leads to improving efficiency, reducing time-to-market, and accelerating revenue through de-risked project delivery.
Agile Development – don’t confuse speed with efficiently
In the same breath, don’t move fast and break things. Move efficiently, and fix what’s most important. Somewhere in the Agile movement, efficiency became confused with speed. This meant that security often got left by the wayside as it was seen as an impediment to shipping fast. Yet overtime, “fixing later” became a drag on backlogs and delivery schedules – a complete contradiction to the principles of Agile development.
In 2021, Agile teams will recalibrate to include security as part of their processes so they’re doing the right security work at the right time. This means beginning security in design through project and feature level policy assignment. This will then enable teams to include security in their definition of “working software” and understand what security issues must be fixed before release and what can be added to the backlog, to maximize work done each sprint. Furthermore, it will then allow them to collaborate with their security teams to continually iterate on the application security program to meet the development team’s needs and the overall business. By adding security as a tribe – the SecDevOps tribe – enterprises can deliver more secure code without sacrificing velocity or agility.
Everybody is on the same tribe…finally.
While Engineering, Product, and Operations have been unified as part of the DevOps movement, it’ll be 2021 when Security finally joins the team and becomes a tribe. As the policies and controls Security defines become part of the product requirements, Security will become embedded into DevOps workflows to become part of the acceptance criteria for work items in development and operations at every step of the SDLC. This is not just about operations embedding security tools into their continuous integration and deployment, but rather a full end-to-end integration of the processes through Secure DevOps (SecDevOps) orchestration. This keeps the team focused on winning the game of shipping quality products to market in a timely and efficient manner.
Everybody-led Security
We’ve tried Developer-led Security, Security-led Security, and we’ve tried Ops-led Security, yet there’s still no real winner in “how to do DevSecOps.” This is because while these are all important parts of a successful strategy, they continue to silo the responsibility – and problems – at different places in the SDLC.
2021 will be the year that organizations begin to deploy security as part of development is to unify the processes through secure development operations (SecDevOps). SecDevOps focuses on process automation- not just embedding tooling in the middle of DevOps – to improve collaboration across all groups through transparency and accountability. This means Security has the confidence to know that their program is being followed – and when it isn’t – while Development and Operations get the autonomy to manage security as part of their existing workflow. The shared-responsibility model of SecDevOps allows Sec, Dev, and Ops to produce better and more secure products faster while continually meeting the overarching needs of the business – not just to reduce cyber-risk to also product, brand, personnel, and revenue risk.
ABS: Always Be Securing
The adoption of continuous delivery became a natural extension of the Agile and DevOps transformations of the last decade, yet the adoption of CI/CD pipelines further siloed security as their processes failed to keep up. As organizations continue to evolve their continuous delivery processes in 2021, they will finally include security through SecDevOps orchestration, which ensures a repeatable and reliable execution of the security processes at every step of the SDLC by leveraging automation to scale the program at speed.
With SecDevOps, security becomes part of building-in quality from the start so all teams know what the definition of “done” is, which is not about producing perfectly secure code, but understanding each individual application’s security profile to prevent and fix the most important security issues early. By continually managing security practices, policies, and debt in existing CI/CD pipelines, SecDevOps orchestration ensures that all teams – Sec, Dev, and Ops – have the information they need at every step of development to share responsibility in delivering secure software.
Serverless doesn’t mean Security-less
The adoption of serverless technologies accelerating in 2021 is a prediction itself, however it is not just that early adopter enterprises will begin to integrate these into their architectures, but all will begin to prepare for the implications of serverless in their environments, with security being the first item to tackle. While serverless promises to be easier to secure, we cannot expect it to be the only architecture in any enterprise as most have to support legacy systems across all architectures and deployments strategies. Consequently, the move to serverless needs to be treated just as an additional application profile. This will force the adoption of solutions that can help extend their workflow for security, deployment, and support processes across any application architectures agnostically.
The best-in-class performers will deploy SecDevOps solutions today that are future-proofed to pull in the right CI/CD, security, and operations tool sets no matter how the specific architectures they need to support change.
About the author:
Brittany Greenfield founded Wabbi to enable security to become a normal part of today’s development operation. As CEO, she has led the organization to be a pioneer in the field of Secure DevOps, recognized by CIOReview as one of the Most Promising DevOps Solutions. A Duke Undergrad and MIT Sloan MBA, she is recognized as a leader in enterprise technology for identifying new markets and building the teams and strategies to capture them, at companies including NetSuite, Kronos, Cisco, & Cybereason. She is active in her communities serving as on the Board of Directors of MassTLC and the Vilna Shul, as well as Co-Chair of the Duke Young Alumni Council and Boston Ballet Young Partners Council.
Somewhere in the Agile movement, efficiency became confused with speed. This meant that security often got left by the wayside as it was seen as an impediment to shipping fast. Yet overtime, “fixing later” became a drag on backlogs and delivery schedules – a complete contradiction to the principles of Agile development.
In 2021, Agile teams will recalibrate to include security as part of their processes so they’re doing the right security work at the right time.
We’ve tried Developer-led Security, Security-led Security, and we’ve tried Ops-led Security, yet there’s still no real winner in “how to do DevSecOps.” This is because while these are all important parts of a successful strategy, they continue to silo the responsibility – and problems – at different places in the SDLC.
2021 will be the year that organizations begin to deploy security as part of development is to unify the processes through secure development operations (SecDevOps).