4 min read

Forget Everything You Thought You Knew About DevOps and Security

Featured Image

DevOps isn’t a new concept. It was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also an associated culture. In many ways, this marked the birth of the “DevOps movement”.

DevOps eventually caught on and was adopted by a broad range of IT companies.

Over time, the term expanded its definition to encompass activities that helped accelerate the software development lifecycle.

In technological terms, DevOps has morphed into something entirely different over time, that’s why it’s important to evolve into the next iteration of DevOps, which is embedding DevOps security into DevOps practices to create DevSecOps

In today’s era of cybercrime, breaches, and hacks, it’s become more important than ever to consider security, development, and operations as one uniquely intertwined process.

Failure to adopt this mindset can have serious ramifications for businesses of all types.

In fact, security has become just as important - if not more so - than other key tenants of modern DevOps.

If an engineering team doesn’t have a mature security mindset, their software deliveries are unlikely to be secured with the resulting downstream dire consequences of that.

Common Myths About DevSecOps

Every organization interprets DevOps differently, which can cause some confusion when it comes to fully understanding what shifting left, or modern DevOps security practices are all about.

Let's explore some of these myths and debunk them.

  • Myth:

    DevSecOps takes too much time and isn’t practical for small teams.

  • Reality

    Adopting a security mindset throughout the DevOps process actually frees up time.

    Instead of waiting to address DevOps security issues at the end of the DevOps process, integrating and remediating throughout the Software Development Lifecycle (SDLC) saves you time, money, and headache. In fact, depending on your organization's size you may not need to hire a specialized team. Instead, simply adopting the latest DevSecOps best practices and culture can make a significant impact.

  • Myth:

    Regulatory and compliance requirements supersede DevOps security operations, so we don’t really need it.

  • Reality:

    Keeping things secure isn’t just about meeting regulatory requirements.

    It’s about staying one step ahead of the bad guys. That’s where DevSecOps automation comes into play. It can fill gaps and identify vulnerabilities and security flaws that might otherwise have been overlooked if we were to focus solely on regulatory compliance.

  • Myth:

    DevSecOps wouldn’t solve the current problems that we have, so there’s little value in adopting it.

  • Reality:

    DevSecOps isn’t just about writing code, it’s about continuous improvement.

    While it might not provide near term security solutions to all of your immediate needs, it can provide preventative solutions and approaches to issues that will pop up in the future.

  • Myth:

    Developers should build their own DevOps security tools, and not rely upon 3rd party tools.

  • Reality:

    There’s a time and place for self-built DevOps security tools, but that doesn’t mean that they’re your only option.

    In fact, you may be better off investing in external tools that save you time and money.
    They’ve already been tried, tested, and debugged. It’s not always necessary to waste time reinventing the wheel.

  • Myth:

    Open-Source DevOps security tools are the best (and only) kind of DevOps tools

  • Reality:

    Only about 22% of all DevOps teams rely on open-source tools

    For DevOps security tools, it doesn't always come down to budget in the end.

    Open-source tools are more budget-friendly solutions, but sometimes come with more inherent risk because of their “open” nature, while paid tools are usually just as effective (if not more so).

  • Myth:

    DevSecOps knocks out the need for other application security experts.

  • Reality:

    This is false. Secure software development practices used by developers and dedicated security teams are not the same.

    There remains a need for security experts who can partner with developers to create fortified and secure software solutions.

What the Future of DevOps & Security Looks Like

devops and security

As organizations follow their own model for development, the attack surface increases, and security becomes even more important.

Here are some of our predictions of what DevOps and Security will look like in the future.

DevSecOps will:
  • Become more automated than ever

    Less manual audits by “old-school” dedicated security teams and their blocking steps on the Continuous Integration (CI) level; which is replaced by shifting security left, allowing developers to become aware of security concerns as soon as possible, preferably before any code was pushed to a remote branch or a pull request was even opened.

One common way to achieve this is to use security plugins built directly into your IDE, allowing for fast security feedback.

Another approach is to use pre-receive hooks allowing for custom security logic to run before a code commit can even be performed.

  • Continue to become more proactive and predictive

    Instead of waiting for an incident to happen and then mitigating it, we believe companies will start leaning more towards prioritizing software security to be in alignment with the release of new features (as opposed to prioritizing new features over anything else). This will allow more time to be spent on security training, whether through self-learning, online courses, security workshops, or any other means.

The above will lead to a higher sense of security ownership for the developers. The saying “you code it – you ship it – you own it” will increasingly apply to security issues as well.

  • Become more adaptable and diverse

    The application security (AppSec) market is booming, and security awareness and responsibilities are also branching out. Application security tooling will continue to become simpler and easier to use, and will not require as much deep security expertise to implement or leverage them. This will make the benefits easier to receive with less previous security expertise required.

  • Become increasingly scalable

    As cloud adoption increases, so will the usage of native, built in, fully managed CI/CD platforms, such as GitHub Actions, which provide a broad range of security related actions (steps) you can leverage to make sure your pipelines are secure and also include all the relevant mitigations for your use case. We predict the adoption of managed CI/CD solutions will increase, and therefore allow for simpler onboarding of new security related capabilities in your CI/CD pipelines.

  • Become increasingly reliable

    The mission of everyone involved in implementing DevSecOps is to deliver high quality, reliable and secure software. As DevSecOps becomes more widely adopted, and the tooling surrounding it improves (such as cosign), we predict that the guarantee of knowing the software you release is indeed the very same software that will reach your end users without being maliciously modified will greatly increase in the upcoming years. The entire software marketplace will benefit from increased peace of mind.

Stay Current with Modern DevSecOps & Maximize Your Security

To summarize, DevOps isn’t a new culture/mindset, It’s been around for well over a decade.

Today’s IT environment demands and necessitates a shift in mindset.

Relying on an older DevOps mindset will leave your products vulnerable, which is why it’s time to adopt the DevSecOps mindset.

There are many myths about DevSecOps, which we happily refuted above.

A common myth being the fact that following DevSecOps principles takes too much time – the opposite is the truth – shifting left and finding security issues early on in your SDLC can save you plenty of time closing security holes in your production environments.

In fact, any effort put into securing your SDLC and strengthening your DevSecOps processes is time well spent.

You shouldn’t fall victim to these myths. Instead, it’s time to look to the future of DevOps and keep an eye on future trends. With so many security tools becoming increasingly available – there is no reason not to include them in your CI/CD flows and increase protection.

Boost Your DevSecOps Today!

Related Blogs

Novel Pipeline Vulnerability Discovered; Rust  Found Vulnerable

The Legit Security Research Team discovered a new class of software supply chain vulnerabilities that leverages artifact poisoning and attacks the...

Read More

Top Software Supply Chain Security Solution Approaches: Pros and Cons

What are different solution approaches to software supply chain security and what are the Pros and Cons for your organization? What is the modern...

Read More

1 min read

Critical and Time Sensitive OpenSSL Vulnerability - The Race Between Attackers and Defenders

Update: On November 1st the OpenSSL project maintainers released their fix for the vulnerabilities. There were two vulnerabilities discovered. After...

Read More