Transform 2022 is coming back to life! We’re excited to have it in person on July 19th and virtually on July 20th. For insightful talks and networking opportunities, join AI and data leaders. Register now!
The security measures used to protect and secure technology are becoming more complex.
Existing security issues are ever-present and evolving, and new problems continuously emerge, calling for increasingly advanced cybersecurity measures – DevSecOpsBeing one of them.
DevSecOps refers to the practice of simultaneously addressing security, development, and operations throughout an application’s entire lifecycle.
“Data security considerations are addressed throughout the pipeline instead of just at the end,” said Meredith Bell, CEO of DevSecOps platform company AutoRABIT.
“This is to ensure that security vulnerabilities are found and addressed with the same quality, scale and speed as development and testing processes,” as well as to help assure that every update supports a stable system, he said.
Mike O’Malley, SVP of strategy for IT services company SenecaGlobal, agreed that “it means thinking about application and infrastructure security from the start.”
The efforts of cybersecurity and software development are combined, he said, so that security is integrated into every phase of the software development lifecycle – from initial design through integration, testing, deployment and software delivery.
In some cases, companies are incorporating security measures even earlier in the development cycle – a sort of “pre-step before devops,” or as O’Malley called it, “PlanSecOps.”
“So, security is not only being built in during the development, it’s being built into frameworks even before (developers) begin to code,” he said.
DevSecOps overlap with devops
Still, there is no industry standard definition or approach to DevSecOps, said Gartner VP analyst George Spafford – making it much like devopsIt is from this source that it comes.
About a decade ago, the term “Devops” was invented. This concept combines software development with IT operations. This is to speed up systems development and deliver high quality software. Devops is a part of agile, and involves the division of projects into multiple phases that allow for continuous collaboration and improvement.
As Spafford noted, “DevSecOps is still devops, but it is explicitly stating that Information Security must be collaborated with, and the needed controls to mitigate risk must be factored in.”
The advantages are the same as devops, assuming organizations factor in “all of the stakeholders” – that is, the improved capability to deliver customer value at the cadence/speed the customer needs while managing risk.
When combined, agile development and devops/DevSecOps are powerful, especially when it is about AI.
Still, “it shouldn’t be pursued solely because it seems like a good idea. People should use devops/DevSecOps where it makes sense, where there is a need,” Spafford said.
Particularly compared to the waterfall methodology – a linear approach to project management in which each stage must be completed before moving onto the next – agile is beneficial in situations where there is ambiguity about needs or rapid change is occurring. Waterfall’s Achille’s heel, Spafford said, is that users must identify requirements up front when needs are the least understood. This means that project plans are created with a lot of work involved and dependencies.
Agile allows developers to focus their efforts on customer outcomes and perform regular releases with “the backlog of features being groomed to reflect the latest lessons learned,” Spafford said.
“This is a powerful approach because it enables a step curve delivery of customer value, learning and continual improvement,” Spafford said.
However, organizations should also consider the drawbacks. Spafford said that these can be addressed but must be taken into consideration from the beginning and throughout the entire process.
And ultimately, devops and DevSecOps “are not a progression that you start with one and then move to the other,” Spafford said. “In either case, start small, learn, improve, demonstrate value and grow the footprint.”
Growing adoption and concept
DevSecOps’ adoption is growing as security vulnerabilities rise.
Emergen Research estimates that the global DevSecOps industry will reach $23.42 Billion in 2028. That’s up a significant 32.2% compound annual growth rate (CAGR) from $2.55 billion in 2020.
Global Market Insights estimates that the devops market will grow more than 20% from 2022-2028. According to the firm, this segment will grow from approximately $7 billion to more that $30 billion in the next five years.
Emergen reports that there is a growing need for repeatable, adaptive processes, custom code security, and automated monitoring, testing, which are driving this growth. And a growing number (and iteration) of platforms and tools are emerging – from the likes of Unisys, Kryptowire, Red Hat, and Rackner.
Increased protection in an ‘ugly’ landscape
“DevSecOps is no longer an option” – it is a necessity,” Bell said. Likewise, “security is not an afterthought.” Rather, it should be integrated at every phase of the devops development cycle.
O’Malley agreed, pointing out that the common practice has been to tack security onto software at the end of the development cycle.
This wasn’t a significant issue until new development practices including agile and devops became ever more prevalent as a means to reduce development cycles, he pointed out. This adoption led to many delays, or even a complete omission, in order to push out new features to clients. Thus, further security gaps were created.
DevSecOps is “becoming even more critical,” O’Malley said, underscoring that, “It’s ugly out there in security.”
Hackers have become more sophisticated and smarter. Hackers are developing new methods to bypass the system. multifactor authentication through access points in public clouds, apps, mobile and IoT devices; to directly target organizations and force them to pay ransom; and to use so-called “stalkerware” apps to record conversations, location and everything a user types, “all while camouflaged as a calculator or calendar,” O’Malley said.
He also mentioned the mainstreaming of cloud computing. Gartner has predicted that 70% of enterprise workloads, up from 40% by 2020, will be deployed to cloud computing by 2023. What’s more, businesses across industries are expected to have at least nine different cloud environments by 2023.
CloudSecOps is difficult to manage because of the complexity of hosting data and apps in multiple places. And while it has numerous benefits – not the least of which are cost and flexibility – the cloud also opens more entry points. Organizations have larger areas to secure, and with access not limited to physical location, “anyone and everyone is a potential threat,” O’Malley said.
Attackers could use third-party apps and employee credentials to gain access. This increases the need for modern cybersecurity measures.
The shift to remote work and continuous digital transformation have increased organizations’ vulnerabilities, Bell pointed out. Companies can adapt without being attacked by using secure apps and continuous updates.
“Companies that deploy DevSecOps solutions will experience fewer fire drills in later stages and deliver safer, higher quality code,” Bell said. “Pushing a development project through production and creating technical debt is a recipe for disaster.”
Achieving ‘cyber resiliency’
Bell stated that proper tooling is essential for protection.
Automated release management should be a key part of any DevSecOps strategy. This is the process of planning and working through the application development pipeline – from the earliest preparation stages, to development, to testing, to deployment, to continued monitoring after release.
Bell stated that continuous integration and continuous deployment (CI/CD), tools can be used to improve testing processes and identify potential areas for attack before they reach production. Data backup tools can be used to automatically route data to the right location and maintain a consistent interface between employees and customers.
Protection also comes down to helping employees become more “cyber resilient.”
From communicating best practices such as updated user permissions, to implementing strong passwords, to reinforcing the ability to spot phishing attempts, Bell underscored that “open communication is key to success.”
VentureBeat’s missionit is to become a digital city square for technical decision makers to gain knowledge and transact. Find out more about membership.