DevSecOps has been a buzzword for a while now, but there is still debate about the right way to approach it in practice. Especially among development teams, there is constant noise around the definition of DevSecOps and what it really means for an organization.
Let’s start with a few short definitions:
- DevOpsSec – integration of security after development
- DevSecOps – integration of security into development testing
- SecDevOps – integration of security into development processes
Security is no longer a siloed responsibility, but a critical element of application delivery. The problem now, is the DevSecOps “hairball” that results from too many tools and too many people involved in every step of the pipeline. The average organization today has between 25-49 security tools from up to 10 different vendors. As the DevOps tool chain has proliferated, so too have the tools to secure them. Unfortunately, there are a lot of point solutions rather than one tool that handles the process end-to-end. This leaves organizations inundated with data, but with little to no actionable information to inform their decisions. To truly cut through the DevSecOps noise, organizations need to focus on three elements: people, processes and tools.
Contrary to Facebook’s mantra to “move fast and break things,” good development is about moving efficiently and fixing things at the right time. DevOps transformation is about removing bottlenecks and using natural processes to translate stringent (and often highly technical) guidelines into something actionable. Effective security isn’t just about reducing cyber risk, but improving productivity and efficiency. This starts by bringing security into a developer’s realm and integrating it within an organization’s culture. Security must be part of the strategic mission and be easy for developers to absorb as a natural process of their job, rather than an added hurdle.
With the team on board, organizations need to provide security and risk frameworks that contextualize all the data available in order to provide actionable insights. This could include a release checklist that determines tolerable limits for releasing new code – for instance, the policies followed and the vulnerabilities fixed before it is released. Giving people a framework through which to view this data helps turn it into information that can be leveraged for effective DevSecOps.
Lastly, integrated testing of tools is critical to deploying security at speed. Tools shouldn’t just produce data, rather they should help transform that data into actionable information. This piece relies on the people and processes in place to be truly effective.
A SecDevOps approach focuses on making security a natural part of development processes, rather than fighting for integration. Taking advantage of artificial intelligence (AI) and machine learning (ML), automated governance, and SecDevOps infrastructure, organizations can avoid the “hairball” by deploying security as a practical part of development. With this integrated approach, development teams can categorize, implement, assess, authorize and monitor security processes by leveraging the available data within a logical framework.