DevOps isn’t a new concept. The term was first coined around 2009 by Patrick Debois as a way to describe not only technology and standards, but also an associated culture. In many ways, this marked the birth of the “DevOps movement”.
DevOps eventually caught on and was adopted by a broad range of IT companies.
Over time, the term expanded its definition to encompass activities that helped accelerate the software development lifecycle.
In technological terms, DevOps has morphed into something entirely different over time, which is why it’s important to evolve into the next iteration of DevOps, by embedding DevOps security into DevOps practices to create DevSecOps.
In today’s era of cybercrime, breaches, and hacks, and with software supply chain attacks on the rise, it’s become more important than ever to consider security, development, and operations as one uniquely intertwined process.
Failure to adopt this mindset can have serious ramifications for businesses of all types. In fact, security has become just as important - if not more so - than other key tenets of modern DevOps.
If an engineering team doesn’t have a mature security mindset, their software deliveries are unlikely to be secured and resulting downstream consequences could be dire.
Common Myths About DevSecOps
Every organization interprets DevOps differently, which can cause confusion when it comes to fully understanding what shifting left, or modern DevOps security practices are all about. Common myths about DevOps often prevent organizations from adopting this critical practice.
Let's explore some of these myths and debunk them.
-
Myth:
DevSecOps takes too much time and isn’t practical for small teams.
-
Reality:
Adopting a security mindset throughout the DevOps process actually frees up time.
Instead of waiting to address DevOps security issues at the end of the DevOps process, integrating and remediating throughout the Software Development Lifecycle (SDLC) saves you time, money, and headache. In fact, depending on your organization's size you may not need to hire a specialized team. Instead, simply adopting the latest DevSecOps best practices and culture can make a significant impact. -
Myth:
Regulatory and compliance requirements supersede DevOps security operations, so we don’t really need it.
-
Reality:
Keeping things secure isn’t just about meeting regulatory requirements.
It’s about staying one step ahead of the bad guys throughout the software development lifecycle. That’s where using DevSecOps automation can help. Using automation can fill gaps and identify vulnerabilities and security flaws that might otherwise have been overlooked if we were to focus solely on regulatory compliance. -
Myth:
DevSecOps wouldn’t solve the current problems that we have, so there’s little value in adopting it.
-
Reality:
DevSecOps isn’t just about writing code, it’s about continuous improvement.
While it might not provide near term security solutions to all your immediate needs, DevSecOps can provide preventative solutions and approaches to issues that will pop up in the future. Without such a forward-looking approach, you may end up with more security issues than you bargained for down the road. -
Myth:
Developers should build their own DevOps security tools, and not rely upon 3rd party tools.
-
Reality:
There’s a time and place for self-built DevOps security tools, but that doesn’t mean that they’re your only option.
In fact, you may be better off investing in external tools that save you time and money.
They’ve already been tried, tested, and debugged. It’s not always necessary to waste time reinventing the wheel. 3rd party tools can also help you expand the scope of your security coverage beyond what your internal team might be able to build. -
Myth:
Open-Source DevOps security tools are the best (and only) kind of DevOps tools
-
Reality:
Only about 22% of all DevOps teams rely on open-source tools
For DevOps security tools, it doesn't always come down to budget in the end.Open-source tools are more budget-friendly solutions, but sometimes come with more inherent risk because of their “open” nature, while paid tools are usually just as effective (if not more so).
-
Myth:
DevSecOps knocks out the need for other application security experts.
-
Reality:
This is false. Secure software development practices used by developers and dedicated security teams are not the same.
There remains a need for security experts who can partner with developers to create fortified and secure software solutions.
What the Future of DevOps & Security Looks Like
As organizations follow their own model for development, the attack surface increases, and security becomes even more important.
Here are some of our predictions of what DevOps and Security will look like in the future.
DevSecOps will:
-
Become more automated than ever
Less manual audits by “old-school” dedicated security teams and their blocking steps on the Continuous Integration (CI) level; which is replaced by shifting security left, allowing developers to become aware of security concerns as soon as possible, preferably before any code was pushed to a remote branch or a pull request was even opened.
One common way to achieve this is to use security plugins built directly into your IDE, allowing for fast security feedback.
Another approach is to use pre-receive hooks allowing for custom security logic to run before a code commit can even be performed.
-
Continue to become more proactive and predictive
Instead of waiting for an incident to happen and then mitigating it, we believe companies will start leaning more towards prioritizing software security to be in alignment with the release of new features (as opposed to prioritizing new features over anything else). This will allow more time to be spent on security training, whether through self-learning, online courses, security workshops, or any other means.
The above will lead to a higher sense of security ownership for the developers. The saying “you code it – you ship it – you own it” will increasingly apply to security issues as well.
-
Become more adaptable and diverse
The application security (AppSec) market is booming, and security awareness and responsibilities are also branching out. Application security tooling will continue to become simpler and easier to use and will not require as much deep security expertise to implement or leverage them. This will make the benefits easier to receive with less previous security expertise required.
-
Become increasingly scalable
As cloud adoption increases, so will the usage of native, built in, fully managed CI/CD platforms, such as GitHub Actions, which provide a broad range of security related actions (steps) you can leverage to make sure your pipelines are secure and include all the relevant mitigations for your use case. We predict the adoption of managed CI/CD solutions will increase, and therefore allow for simpler onboarding of new security related capabilities in your CI/CD pipelines.
-
Become increasingly reliable
The mission of everyone involved in implementing DevSecOps is to deliver high quality, reliable and secure software. As DevSecOps becomes more widely adopted, and the tooling surrounding it improves (such as cosign), we predict that the guarantee of knowing the software you release is indeed the very same software that will reach your end users without being maliciously modified will greatly increase in the upcoming years. The entire software marketplace will benefit from increased peace of mind.
Stay Current with Modern DevSecOps & Maximize Your Security
DevOps isn’t a new culture or mindset, it has been around for well over a decade. Today’s IT environment demands and necessitates a shift in mindset. Relying on an older DevOps mindset will leave your products vulnerable, which is why it’s time to adopt the DevSecOps mindset.
There are many myths about DevSecOps, but the most important one you may need to look past may be that following DevSecOps principles takes too much time. The opposite is the truth – shifting left and finding security issues early on in your SDLC can save you plenty of time closing security holes in your production environments.
In fact, any effort put into securing your SDLC and strengthening your DevSecOps processes is time well spent.
Don't fall victim to these myths. Instead, it’s time to look to the future of DevOps and keep an eye on future trends. With so many security tools becoming increasingly available – there is no reason not to include them in your CI/CD flows and increase protection.
