DevSecOps is a set of disciplines combining development, security, and operations. It is a philosophy that helps software development businesses deliver innovative products quickly without sacrificing security. This allows potential security issues to be identified during the development process – and not after the product has been released in line with the emergence of continuous software development practices.
DevSecOps is an integrative approach to coherent and effective software delivery.
In the past, software developers would typically update their products every few months or years. This gave the company enough time to test its code for potential security breaches by employing specialist contracted teams.
In the past decade, however, the rising prevalence of cloud and microservice models has resulted in rolling releases and thus a more agile market. Rapidity is now the name of the game, with many processes now automated and shared information readily available.
In some cases, security has not been able to keep up with the rapid pace of development. This is where the DevSecOps approach is vital.
By building security into every stage of development, the business can significantly reduce the costs associated with security flaws. In this sense, DevSecOps is a pro-active strategy because it anticipates security breaches before they occur.
Advantages of the DevSecOps approach
Businesses who engage in the DevSecOps approach can expect several benefits, including:
- Reduced costs. Security issues that are rectified in the development process is more cost-effective than addressing the same issues after the product has gone to market. This also reduces costs by shortening product delivery times.
- Avoids bad publicity. Security issues that are detected in-house cannot cause the product or the business negative publicity.
- Creates a positive company culture. A core tenet of the DevSecOps approach is that every member of the development team is responsible for security. This encourages a cohesive and transparent workplace culture that drives better outcomes.
- Higher overall security. Software developed via the DevSecOps approach is more robust. In other words, the strategy reduces general vulnerabilities and insecure defaults. It also increases code coverage and automation through robust infrastructure.
DevSecOps best practices
To ensure that the process runs smoothly, development teams should first realize that there is nothing wrong with automation – so long as automated security controls are also part of the software development cycle.
Teams should also employ tools that efficiently scan code as it is written for potential security issues. If issues are detected, then it is important to run threat-modeling scenarios to identify and then build protection against issues deemed a significant threat.
DevSecOps is fast becoming accepted practice across multiple industries. To illustrate its real-world application, here are a few examples.
Since the primary motivation for cybercrime is financial gain, it could be argued that PayPal as a payments processor was more exposed than some other companies.
To reduce the chances of introducing security flaws into its products, PayPal wanted a way to build proactive and repeatable security processes into the product development lifecycle.
The first required a shift in the corporate mindset, with security considered an equal priority alongside other project requirements.
To manage this mindset change and effectively incentivize security, the company assigned personnel to work across the organization and help teams manage the transition.
Automated security tools for the development team were introduced and security standards were phrased in development language instead of security language.
With so-called “Change Champions” and “Transformation Team Members” making the change as smooth as possible, PayPal was able to adopt DevSecOps in less than twelve months.
This enabled it to quickly build new products based on a secure foundation.
To improve its customer experience, mortgage provider Fannie Mae was directed towards a DevSecOps strategy that ultimately saw the company recognized at the Information Week Excellence Awards.
Like many other companies in a similar situation, teams performed late-stage security checks that frequently caused delays and buggy releases. There was also limited integration of important customer feedback.
Realizing there was an opportunity to accelerate development and incorporate better security practices at the same time, Fannie Mae decided to adopt DevSecOps.
A rapid, iterative development process with security checks at each step was achieved from the integration of development, operations, and security.
The results of the company’s strategy were impressive.
Fannie Mae was able to double the speed of its update releases with enhanced security processes able to increase customer satisfaction and trust and allow the company to adapt more quickly.
While many adults would admit to playing Pokémon Go, the mobile-based game is also popular with children.
Recognizing that data about children is extremely sensitive, owner The Pokémon Company wanted to create a cultural shift where security became its utmost priority.
Since security was often seen as a hindrance to development goals, the company decided to reframe it with a focus on business enablement.
In other words, security was reframed as an independent factor that could improve the reputation of the game among parents, reduce risk, and increase customer confidence.
The Pokémon Company’s initiatives have seen the whole organization now pay closer attention to security.
Once confined to the security team, analytics tool Sumo Logic is now used across the business – including DevOps teams.
Sumo Logic also enabled security teams to streamline manual security programs and processes to deliver improved efficiency.
For example, teams released a new project classification automation program that cut a process with 11 touchpoints over 5-7 days to a much more manageable 2 touchpoints over five minutes.
- DevSecOps stands for development, security, and operations. It is a pro-active and iterative approach to preventing security breaches during software development.
- The DevSecOps allows software businesses to keep pace with both the rapidly advancing software market and the collaborative, more rapid way software is developed.
- DevSecOps has many benefits for businesses, including reduced costs and enhanced company culture. The approach also allows development teams to identify issues that could potentially hurt brand image once the product is released.
Connected Agile Frameworks