Shifting security left: an outlook on DevSecOps

Let’s take a walk down the memory lane and remember what DevOps looked like when we simply called it “deployment.” Developers created code and built artifacts, system admins deployed them to a testing environment and finally, the security team came in at the very end of the process to make some checks before launching the code into production. However, this process is no longer compatible with today’s demanding world.

So, how can organizations improve the development lifecycle? Can integrating security help you ship better code, faster?

Introducing DevSecOps

The growth of DevOps has changed the development landscape for good. Developers and sysadmins have joined forces to become a unified team employing an automation-centric toolchain, but software security still lags — although it is starting to win ground in the often-discussed shift left security topic. Traditional security mostly consisted of vulnerability checks at the end of the development process, forcing developers to rewrite large portions of code in case of failures, and creating a tangible rupture between teams.

According to the Gitlab DevSecOps report 2021, “the question of security ‘ownership’ remains a tricky one in nearly every organization, and that’s particularly true when it comes to the security team.” The response from 4300 participants indicates that shared security has yet to receive the treatment it deserves. 31% of the respondents considered the security team as the main actor, while only 28% agreed that security is a topic for everyone — evidence that there is no clear consensus on the matter.

While all businesses recognize the importance of security, many falsely assume that tooling alone can solve all their application security concerns. The Gitlab report also states that 72% of security professionals believe that their organization’s security efforts are somewhere between “good” and “strong”, as more companies are focusing on integrating SAST1, DAST2, IAST3, RASP4, container and scanning for dependencies in their classic DevOps pipelines.

With the recent changes in DevOps, traditional security no longer presents itself as a viable option, creating the need for a culture of shared responsibility within the organization.

In the not-too-distant past, the software development lifecycle (SDLC) represented the principal cookbook for software delivery companies. However, as DevOps became the most relevant framework, a new reference work is emerging, the DevSecOps Maturity Model (DSOMM). It represents a key material in understanding the existing baseline and defining the transformation path of embracing DevSecOps. The Open Web Application Security Project® (OWASP) says that culture and organizational activities are spread constantly along four levels of maturity5, representing the foundation on which DevSecOps lays. It includes:

31%
of the respondents considered the security team as the main actor

28%
agreed that security is a topic for everyone

72%
of security professionals believe that their organization’s security efforts are somewhere between “good” and “strong”

People engagement

  • Ad-hoc security training
  • Regular security training
  • Rewarding good communication
  • Collaborative security check-ups with system administrators and developers

Procedural standards

  • Each team has a security champion
  • Security lessons learned
  • Aligning security in teams

1 Static Application Security Testing (also known as “white box” testing)
2 Dynamic Application Security Testing (also known as “black box” testing)
3 Interactive Application Security Testing
4 Run-time Application Security Protection
5 Basic understanding of security practices, Adoption of basic security practices, High adoption of security practices, Advanced deployment of security practices at scale

Security and DevOps are complementary domains, as the opportunities lie in making security an integral part of development, solving potential business-critical incidents during the early stages of the SDLC.

DevSecOps easily distributes the responsibility for security in the pipeline and helps maintain the required speed and scale. The perfect mix lies in the balance between capabilities, technologies and culture. Although DevOps represents a modern way of working and solving problems by focusing on constant and fast delivery, DevSecOps will prove to be the next best practice in this constantly changing landscape. It’s not a question of “if” but “when.”

About the author

Bogdan Balazs

Cloud Security Global Operations Manager, Atos

Bogdan is responsible for leading engineering innovation and overseeing operations delivery globally within the Cybersecurity Cloud Security unit, as an experienced DevOps and Cloud Security architect. He is actively involved in designing the future of Atos value proposition in the area of Cloud Security by working together with internal stakeholders and partners on emerging domains such as IoT Security, cloud native security, SIEM and MDR while spearheading BDS cybersecurity vision and objectives in the realm of DevSecOps. Bogdan is shaping the cybersecurity engineers of tomorrow by closely working with local universities in promoting BDS Digital Vision through teaching, events and common projects.

Interested in next publications?

 

Register to our newsletter and receive a notification when there are new articles.