Shifting mindsets from DevOps to DevSecOps
Posted on December 18, 2020
By Dror Davidoff, CEO, Aqua Security
DevOps is a set of practices that looks to combine and automate the processes between software development and operational teams during an application life cycle.
Although the current DevOps mindset is certainly an improvement on the traditional method of software development where the development and operations teams were kept separate, it could still do with an upgrade to ensure the best outcomes for businesses.
As the tech industry constantly experiences changes and developments, we must also always be on the lookout for ways to improve methods and ensure rapid results. The main problem with DevOps is that there is a lack of focus on security, which can cause disruptions in the process of developing and deploying applications. The next step towards increasing efficiency throughout an application lifecycle is to include security throughout this process, thereby adopting a DevSecOps approach.
DevSecOps combines development, security and operations and puts heavy emphasis on security checks throughout the development process. The inclusion of security throughout the process has become a great asset in a world where cyber threats are becoming more frequent and more sophisticated.
Putting the security into DevOps
Businesses will only gain from the incorporation of security into the process if they take the necessary steps to implement the models in the right way. Although security has always been a vital stage in the development process, its position within the current DevOps framework presents flaws and can hinder the overall process. In order to deliver high level security decisions and actions, adopting a DevSecOps mindset should be a main priority for CISOs.
Indeed, operating in the current DevOps approach means evaluating security in the final stages, often as an afterthought. Security was separate from development which created the potential for last minute issues that would delay processes and, as a result, delay the release of an application. It is now clear that security needs to be the focus of all departments as an ongoing consideration throughout the process. This reduces the chance of costly risks during the application building process. The shift to DevSecOps will allow unity in the workflow and shared responsibility of security, both of which will enable the faster delivery of applications.
How this is managed will differ between organisations. Change management in DevSecOps is inherently more difficult, as it involves integrating each individual contributor, rather than just looking to one team, to reach a shared mindset. The role of security management cannot be left in its entirety to the cloud provider or the security team. Instead, the CISO should look to create a culture and strategy of vigilance towards security issues and requirements across all of the teams.
To create the necessary culture of unity, leaders must take the time to retrain their teams and educate them on the methods and benefits of shifting to a DevSecOps mindset. In order to effectively implement the changes, the team must be aware of the why, as well as the what. This will create a cohesive process, producing better results for the application. It would be detrimental to simply implement the tools and changes as a way of saving time, teams must be able to ask questions and be given time to understand the shift.
Additionally, ensuring that developers are educated about cybersecurity helps to avoid instances where hackers deploy malware within the building stage of the process, and it goes unnoticed. Giving the developers part of the responsibility for security will increase the chances of these problems being spotted early on in the application life cycle. It will also give them more time and control to analyse and defend against potential cybersecurity risks.
The move from DevOps to DevSecOps will require the CISO to engage and educate the teams so that there is complete co-operation and understanding of the change. This will ensure a unified environment where the benefits of the DevSecOps mindset will be reached enabling efficiency in implementing cloud native development to deliver high standard applications.