DevSecOps: what companies need to know

As technology becomes more complex, so do the security methods intended to protect and shield it.

Existing security vulnerabilities are always present and evolving, and new ones are constantly emerging, requiring increasingly sophisticated cybersecurity measures – DevSecOps be one of them.

DevSecOps is defined as addressing development, security, and operations simultaneously throughout an application’s lifecycle.

“Data security considerations are addressed throughout the pipeline rather than just at the end,” said Meredith Bell, CEO of DevSecOps platform company AutoRABIT.

“This is to ensure that security vulnerabilities are found and addressed with the same quality, scale and speed as development and testing processes,” and to ensure that every update supports a stable system, he said.

Mike O’Malley, SVP of Strategy for IT services company SenecaGlobal, agreed that “it means thinking about application and infrastructure security from the start.”

The efforts of cybersecurity and software development are being combined, he said, so that security is integrated into every stage of the software development lifecycle — from initial design through integration, testing, implementation and software delivery.

In some cases, companies are taking security measures even earlier in the development cycle – a sort of “pre-step before devops”, or as O’Malley put it, “PlanSecOps”.

“So, security isn’t just built in during development, it’s built into frameworks even before (developers) start coding,” he said.

DevSecOps and devops overlap

Still, there’s no industry-standard definition or approach to DevSecOps, said Gartner VP analyst George Spafford — making it a lot like devopsfrom which it originates.

The term devops was coined about ten years ago and the concept involves combining software development and IT activities. The ultimate goal of this is to shorten system development lifecycles and provide continuous delivery and high software quality. Devops, in turn, encompasses several aspects of the agile methodology, dividing projects into different phases to enable continuous collaboration and improvement.

As Spafford noted, “DevSecOps is still devops, but it explicitly states that it should work with information security and take into account necessary controls to mitigate risk.”

The benefits are the same as devops, assuming organizations consider “all stakeholders” – that is, the enhanced ability to deliver customer value at the cadence/speed the customer needs, while managing risk.

Agile development and devops/DevSecOps can be powerful when combined, especially when it comes to AI and other endeavors that require a lot of continuous experimentation and learning.

Still: “It shouldn’t be pursued just because it seems like a good idea. People should use devops/DevSecOps where it makes sense, where it’s needed,” Spafford said.

Especially compared to the waterfall methodology – a linear approach to project management where each stage must be completed before moving on to the next – agile is useful in situations where there is ambiguity about needs or rapid changes are taking place. Waterfall’s Achilles heel, Spafford said, is that users need to pre-identify requirements when needs are least understood. This means creating a project plan with a huge amount of work in progress and dependencies.

Agile allows developers to focus their efforts on customer outcomes and perform regular releases, “serving the backlog of features to reflect the latest lessons learned,” Spafford said.

“This is a powerful approach because it enables incremental customer value delivery, learning and continuous improvement,” said Spafford.

But organizations must also take the disadvantages into account: Overcoming existing culture and allowing people to learn and change. These can be addressed, Spafford noted, but they must be considered from the start and throughout the process.

And ultimately, devops and DevSecOps “are not a progression that you start with one and then move to the other,” Spafford said. “In both cases, start small, learn, improve, show value and increase the footprint.”

Growing concept, adoption

As security vulnerabilities increase, DevSecOps is increasingly defined as a concept and is growing in adoption.

According to Emergen Research, the global DevSecOps market will reach $23.42 billion by 2028. That’s a significant 32.2% compound annual growth rate (CAGR) from $2.55 billion in 2020.

This follows the growth of the devops market, which is projected to gain more than 20% gains between 2022 and 2028, according to Global Market Insights. The company expects the segment to grow from about $7 billion to more than $30 billion over that time period.

An increasing need for repeatable and adaptive processes, custom code security, and automated monitoring and testing is driving this growth, Emergen reports. And a growing number (and iteration) of platforms and tools are emerging – from Unisys, Kryptowire, Red Hat and Rackner.

Increased protection in an ‘ugly’ landscape

“DevSecOps is no longer an option” — it’s a necessity,” Bell said. Similarly, “security is not an afterthought.” Rather, it should be integrated into every stage of the devops development cycle.

O’Malley agreed, pointing out that it is common practice to transfer security to software at the end of the development cycle.

This wasn’t a major issue until new development practices, including agile and devops, became more common as a means of reducing development cycles, he stressed. Amid this adoption, the tacking-on approach caused many delays or was skipped altogether to push new features to customers, leaving even more security gaps.

DevSecOps is getting “even more critical,” O’Malley said, underlining that, “It’s ugly out there in security.”

Hackers in particular have become smarter and more sophisticated. They are developing more and more ways to bypass direct multi-factor authentication through access points in public clouds, apps, mobile devices and IoT devices; to directly target organizations and force them to pay a ransom; and to use so-called “stalkerware” apps to record conversations, location and anything a user types, “all disguised as a calculator or calendar,” O’Malley said.

He also pointed to the mainstreaming of cloud computing as a factor. As predicted by Gartner, 70% of all enterprise workloads will be deployed in the cloud by 2023, up from 40% in 2020. In addition, companies across industries are expected to have at least nine different cloud environments by 2023.

Hosting data and apps in so many places adds a level of complexity that can make it difficult to manage cloud security operations (or CloudSecOps). And while it has plenty of benefits — not least cost and flexibility — the cloud also opens up more entry points. Organizations have larger areas to secure, and with access not limited to physical location, “everyone is a potential threat,” O’Malley said.

Attackers can use third-party apps, employee credentials, and bots to gain access, increasing the need for modern cybersecurity measures.

The shift to remote working and continuous digital transformation have increased the vulnerability of organizations, Bell emphasizes. Secure apps and continuous updates allow businesses to adapt without exposing themselves to attacks.

“Companies deploying DevSecOps solutions will experience fewer fire drills in later stages and deliver more secure, higher-quality code,” Bell said. “Pushing a development project through production and creating technical debt is a recipe for disaster.”

Achieving ‘cyber resilience’

When it comes to protection, the right tooling is crucial, Bell said.

Automated release management is an essential aspect of any DevSecOps strategy. This is the process of planning and working through the application development pipeline – from the earliest preparation stages, to development, to testing, to implementation, to continuous post-release monitoring.

Continuous integration and continuous deployment (CI/CD) tools help to strengthen test processes and amplify potential attack areas before production, Bell said. Data backup tools can also be used to automatically route data to the correct location and maintain a consistent interface for both employees and customers.

Protection also comes down to helping employees become more “cyber-resilient.”

From communicating best practices such as updated user permissions to implementing strong passwords to strengthening the ability to recognize phishing attempts, Bell underlined that “open communication is the key to success.”