When delivering customer experiences from the cloud, defending the app includes the data it houses and the business it represents.
The DevSecOps mindset, “You build it, you run it, you secure it” helps, but only when all teams are empowered with the info they need to see a threat, regardless of where it is. While DevSecOps isn’t a new concept — it dates back to the 70s— a DevOps.com survey of technical practitioners found that nearly a third of respondents don’t know what DevSecOps is.
Further, with the rise of security incidents, the need to be more agile, and digital now business-critical an increasing number of organizations are looing to adopt DevSecOps programs. And yet, there’s an ongoing shortage of cloud security personnel and skills limiting progress. With a lack of developer and engineer buy-in, organizational silos between development, operations, and security remain a challenge. But despite these setbacks, now may be the time to go all-in on the adoption of DevSecOps principles and practices to bake security into the software development lifecycle (SDLC)––we gathered a panel of experts for a DevOps Insight Forum panel discussion to discuss why:
Sean Davis, Chief Security Architect at NielsenIQ, a global information services company providing the most complete and trusted view of consumers and markets in 90 countries.
Anaïs Urlichs, open source developer advocate at ARA Security, a multi-discipline security integrator to prevent harm and safeguard your operations.
Mitch Ashley, Principal with Techstrong Group research analyst firm that covers IT industries and practices that are reshaping the world of technology.
George Gerchow, Chief Security Officer at Sumo Logic.
Bruno Kurtic, Co-Founder and Head of Strategy at Sumo Logic.
What is DevSecOps?
A DevOps.com survey of more than 1,000 technical practitioners found that the majority (62.5%) of respondents say it is, “A cultural shift to promote shared ownership of security outcomes.”
Urlich sees it differently, in terms of the end-user experience, defining it as, “The process of ensuring that your customers never have to care about the security state of your application.”
What is the primary focus of DevSecOps?
Even as DevSecOps is rapidly becoming the main development method used by organizations of all sizes, there is no consensus on what its primary focus should be.
DevSecOps is often tied to continuous integration/continuous deployment (CI/CD) for the sake of customers, with pressure to roll out features as soon as possible. But this can conflict with security objectives to ensure that customers aren’t put at risk.
Knowing this potential for conflict, Urlichs says, “It depends on your background and what you’re working on. For example, the open source engineers that I’m mostly working with would focus on the pipeline stages, and not compliance.”
One way to look at it is governance/risk/compliance is why DevSecOps is necessary, the SDLC pipeline is part of how DevSecOps enhances application security, and operational concerns are the feedback loop for continuous optimization.
After all, nearly every organization today relies on key applications running on complex multi-cloud environments to transact business and enable users to work. It is critical to ensure that those applications are running optimally.
What is the most critical aspect of DevSecOps?
Like the previous question, there is no clear consensus on what the most critical aspect of DevSecOps is. For many organizations that may be newer to DevSecOps, breaking down silos between disparate groups is most critical by default. As the other options in this poll depend on full visibility across teams.
But, perhaps, as Davis notes, the answer is a bit more nuanced. “People talk about breaking down silos all the time, but you know what I don’t hear often is people talking about building bridges,” he says.
Ashley agrees, adding, “There is a school of thought that says, because we’re preventing the organization from doing something they shouldn’t do, we need to maintain that separation of duties separate, but it’s a lot less now.”
And indeed, survey data from DevOps.com, indicates that this school of thought is waning, with just 18% believing breaking down silos between groups is the most critical aspect of DevSecOps.
What are the challenges of implementing DevSecOps?
DevSecOps is still relatively nascent. Just 17% of DevOps.com survey respondents say they have a self-sustaining DevSecOps team and culture.
Getting DevSecOps to truly work requires more than just the right tools. Gerchow says, “Many times you see organizations that adopt DevOps and or DevSecOps, and they’ll say ‘security is everyone’s responsibility.’ And then what that translates into is, ‘developers, you’re gonna have to start doing security.’ And eventually, ‘developers, you’re the ones that are responsible for security in your own stuff,’ to the point where they’re alien.”
Ashley agrees, and says, “When security is everyone’s responsibility, it becomes no one’s.”
Adding to this challenge is how the complexity of today’s cloud-based architectures obfuscates the dependency between applications and infrastructure. DevSecOps must rely on different data than what was previously used. As Kurtic notes, “In the old world, on-premises, security was mostly looking at perimeter data and the dev teams were looking at application data. When you move to the cloud, there is no perimeter. Security moves closer to the workload applications at the center of everything, and you cannot do physical security.”
How can DevSecOps be set up for success?
It’s no secret that the adoption of DevSecOps is tricky. With 31 transformations under his belt, Davis shared what he’s learned from his fifteen years of experience. “There are two things that I see that just cripple DevSecOps––number one is lack of ownership. The second is, defining what good security looks like.”
Ashley agrees, adding, “If people have an opportunity to contribute to the solution, you know, even if it’s just the process, they are more invested in the success of DevSecOps, so find goals that everybody ties to.”
Similarly, Davis says success depends on the human side, “ It’s all about the relationships, security developers and operations have in working to achieve a common goal.”
To that end, Kurtic explains, “Businesses are depending on these digital applications that are facing customers, generating revenue, and that drives motivation and, ultimately, collaboration if you have the right culture built into the team.”
Where will DevSecOps be in the next 24 months?
Looking ahead, as more companies adopt DevSecOps, Urlichs believes, “Lots of projects are just going to integrate with security tooling by default. So, for instance, with my infrastructure tools, right now, I have to use my Ops observability tools and then my security tools separately.”
Similarly, Kurtic sees processes consolidating automation stepping up to streamline as responsibility becomes more shared across SecOps and DevOps. “Security has pioneered a little bit more of the automation response orchestration, and I think those techniques are going to be applied to incident response and reliability. We’re gonna see more process and tools integration across these two functions into a more effective way of managing.”
Watch the entire panel discussion to learn more about the role of DevSecOps and how to take it to the next level.
Learn how log analytics and log management can help secure every stage of DevSecOps in our guides.
