It seems like hardly a week goes by without news of a security breach. Cyberattacks are becoming more frequent and more severe, costing businesses $600 billion per year according to the 2018 Economic Impact of Cybercrime report. Without a strong security policy in place, businesses risk falling victim to new threats while losing the trust of their customers.
The challenge is that for many businesses, security practices haven't evolved to meet these new threats. For software organizations, the way in which products are developed and deployed has changed significantly in the past ten years thanks to the growing adoption of DevOps. However, security is still treated as a secondary target.
In order to protect against the growing threat and severity of cyberattacks, organizations need to make security a more integral part of their software development processes. This has led to the adoption of DevSecOps.
DevSecOps is a practice that aims to bring security into the DevOps process. It integrates secure practices and tools into each phase of the DevOps process, allowing organizations to build secure software without sacrificing agility and speed.
Traditionally, security implementation and testing was reserved until the end of the software development pipeline. In DevSecOps, security "shifts left" into each of the earlier stages. This includes:
The result of DevSecOps is that security becomes a shared responsibility. Instead of waiting until the end of software development, teams can monitor for and respond to vulnerabilities immediately after they are detected. This allows for a more agile development process, while also making the product safer.
DevSecOps provides numerous benefits, including:
With DevSecOps, organizations have a much greater chance of finding and fixing vulnerabilities before they reach customers. According to the 2018 WhiteHat Application Security Statistics Report, organizations that implemented application security testing saw a 25% drop in the average time to fix vulnerabilities, from 122 days to 91 days. With microservices, this drops an additional 50% to just 43 days.
Much like DevOps, DevSecOps requires a change in organizational culture as much as it requires a change in procedure. These are some of the more crucial steps to consider when planning a DevSecOps implementation.
If there's one phase security experts should be involved in, it is the planning phase. A vulnerability or bug found during the early stages of development will cost significantly less to fix than one found in a later phase. According to the IBM System Science Institute, a bug found during maintenance can cost 100 times as much as one found during planning. This amount increases exponentially the further you progress.
Automation is a key aspect of DevOps, and DevSecOps is no different. Automated security tests allow you to maintain the rapid pace of DevOps, while ensuring that each change meets security standards without introducing new vulnerabilities or regressions. And by integrating security checks into a continuous integration and continuous deployment (CI/CD) pipeline, you can quickly alert engineers in case of a failed test.
The best way to address a vulnerability is to prevent it from happening in the first place. Teaching developers to code securely can eliminate a significant number of vulnerabilities, reduce the cost of new changes, and lower the time to deployment. However, learning to write secure code requires education, training (initial and ongoing), and a cultural emphasis on security over speed.
DevSecOps is a growing trend among organizations of all sizes. According to DigiCert's "Inviting Security into DevOps Survey", 49% of enterprises have already added security to their DevOps workflow, and an additional 49% are in the process of doing so. By building on the success of DevOps, DevSecOps is quickly becoming the preferred solution to today's cybersecurity problems.