A long time ago, I worked in the information security team of a large financial organization. We were completely isolated from the rest of the administration, literally stuck in an office at the end of a building wing, visitors were treated with suspicion and, in turn, we were treated with subtle contempt. After all, we were the protectors of the business, not the employees.
Access control, email intercepts, documenting security breaches, all those lovely things that seemed to hamper regular business operations. Back then, all departments were individual, with development, operations and security in their own silo mentality.
What is DevSecOps?
A long time ago, I worked in the information security team of a large financial organization. We were completely isolated from the rest of the administration, literally stuck in an office at the end of a building wing, visitors were treated with suspicion and, in turn, we were treated with subtle contempt. After all, we were the protectors of the business, not the employees.
Access control, email intercepts, documenting security breaches, all those lovely things that seemed to hamper regular business operations. Back then, all departments were individual, with development, operations and security in their own silo mentality.
This is where the trinity of development, security and operations comes into play. They have to work together, but how to implement a shift in culture?
Why is it worthwhile?
In 2020, the Consortium for Information and Software quality estimated that poor quality software cost US companies over $2 trillion, mostly from operational software failures. And it is estimated that fixing software problems cost an additional 10 times more after release, compared to operating a robust security system in the planning-to-deployment phases.
As modern applications are perhaps more assembled than written, there is a big chance that the building blocks, downloaded from open source libraries, with custom code added by the developers, already contain flaws or vulnerabilities. According to Gartner, this could be 70% of open source software. All components, or packages, used to build the software must be scanned with application security tools before the project starts. The developers can then check to see if the software sticks to the specifications established by the business and mitigate risk.
Higher quality software can be achieved by running continuous reliability and performance tests with the software being developed, reducing costs by being able to spot defects earlier. Once the software is ready for release by the Ops team, security continues by testing a complete product for resilience, reliability and performance, and will fix any issues that might have been difficult to see in the development stages, such as real-world user load.
Shaping and implementing a DevSecOps culture
This is probably the hardest task. People. Change. A feeling of loss of control.
Traditionally, most developers looked at security as an obstacle to avoid. They would rather have done their job and offloaded the completed software as smoothly as possible. And it was understandable, having a sense of personal pride in your work and not having to rely on others. But it is no longer viable. The security of the product must be the number one target.
With this in mind, how does this new culture get implemented?
In a perfect DevSecOps world, everyone will be responsible for security, but in order for it to happen, there must be a clear feeling of ownership within the company. A recent (2021) poll of Chief Information Security Officers revealed that over 70% of them were not fully confident that their code was free of vulnerabilities. Traditional security procedures just can’t keep up with the rapid pace of changing technologies.
