What is DevSecOps?
The term ‘DevSecOps’ is a shorthand for Development Security Operations.
Traditionally, developers built applications, and then consulted security personnel either immediately prior to launching, or after launching them. Security existed as afterthought, leading to poor overall application security outcomes.
DevSecOps presents a model for building security into the application development lifecycle. It demands changes to the way that teams function, but it does so for the better. DevSecOps helps organizations create a business culture that puts security at the forefront of operations.
What are the benefits of implementing DevSecOps?
- Cost reduction. In discovering security issues early on, organizations can avoid the human resource costs, and any monetary costs involved in revamping technologies.
- Culture of transparency. Organizations that apply DevSecOps benefit from improved internal communication and inter-departmental transparency.
- Opportunities for automated processes. The automated review of code removes the possibility of human error, and it also saves time for employees, enabling them to turn attention to higher-level priorities.
- Security is no longer a la carte. With a DevSecOps approach, security is considered in each stage of the application lifecycle, and in each application. Chance, and whim no longer play a role in what’s properly secured, and what’s not.
DevSecOps and automation?
Not only does DevSecOps introduce security in the early stages (and potentially all stages) of application development, it also emphasizes the use of automation in order to seamlessly embed security into applications and end-user solutions.
The use of automation offers comprehensive visibility and threat intelligence, allowing security teams to see threats and to unpack anomalies. In turn, this means that fewer attacks move forward undetected.
What types of challenges, if any, emerge around DevSecOps?
- “How can we integrate security into pipelines?” is a question that every organization must thoughtfully consider. Integrating security into day-to-day operations may require that developers change attitudes, and habits. Or it may require teams and experts that are unfamiliar with one another to suddenly work collaboratively. Organizations must ensure that their transitions to DevSecOps proceed smoothly.
- The shortage of cyber security talent in the marketplace, combined with lean organizational budgets, means that DevOps teams may need to learn more about cyber security. Organizations must determine how to motivate current employees to gain new knowledge and skills.
- Last, but not least: Teams need to establish which metrics to monitor in regards to the efficacy of DevSecOps. What are the indicators of strong security and acceptable risk, vs. inadequate security measures?
Organizations can overcome these DevSecOps challenges through persistence, innovation and a willingness to adapt to change.
For more information on DevSecOps, click here.