Automic, now acquired by CA Technologies Learn more >
 

Just What Is DevSecOps?

The old adage goes, “there’s no such thing as bad publicity.” While that may have been true once, it isn’t in today’s digital era.

Scott Willson
Scott Willson, August 1, 2017 2:00 pm
Blog > DevSecOps | ARA | DevOps > Just What Is DevSecOps?

We all want to make the headlines, but only for the right reasons; DevSecOps may be the key to achieving just that. There are countless companies out there striving to become press darlings and be dubbed the “Airbnb of XXX” or the “next Uber’. But there’s a reason why digital disruptors like Facebook, Netflix and Lemonade are called unicorns: because they’re few and far between. For enterprises taking tentative steps toward digital transformation, the likelihood is they may find themselves in the headlines for the wrong reasons – their security.

Security breaches and leaks are seemingly becoming more and more commonplace in the interconnected world of today. Spend five minutes googling ‘data+breach’ and flick through the top stories listed – the chances are there’s been at least one incident reported today; another firm falling afoul of data security protocols and finding itself in hot water. Over the last few years, companies of all sizes have experienced major data leaks; from restaurant-discovery company, Zomato, to ‘pay-day’ loan provider, Wonga, and even major international corporations including Yahoo and LinkedIn. And most worryingly, the size and scope of each new breach seems to outstrip the last.

Clearly, security threats are increasing and it’s becoming a challenge to keep up.

Moreover, there are some distressing statistics to be found. According to Insurance Business Magazine, more than 31% of small businesses are unable to sustain their operations for more than a week after being hit by a cyber-attack. Compounding this, approximately 62% of all cyber-attacks target smaller businesses. For those start-ups looking to become the next Uber, it seems the odds may just be stacked against them, unless they’re one of the increasing number of organizations adopting a DevSecOps mindset.

DevSecOps and Why It Matters

The basic principles of Developer-Security-Operations (DevSecOps) couldn’t be clearer and are built upon the idea that “everyone [in the software development life cycle] is responsible for security.”

While that may seem like an obvious statement, historically it hasn’t always been the case. Primarily because developers haven’t been overly concerned with the security of an application; their focus has been on functionality. DevSecOps, though, seeks to change this mind-set and eradicate these issues entirely. And it’s increasingly vital, because as applications have become more complicated and advanced, so have the security issues they are faced with.

As well we all know, a major part of DevOps is how applications are deployed and monitored, and automation plays a big part in this process. But, if not observed properly, this automation which enables us to move faster than ever before, without compromising quality, may actually be introducing vulnerabilities.

Think of the access and permissions granted to automation agents or bots. They’re regularly given administrator level access, but how often are those privileges checked? Once the bot has made its environmental change, does it still require that administrator level access, or are you succumbing to privilege creep? Remember, for every administrator account you have, your level of vulnerability increases exponentially – each account is a potential back-door to your system, and therefore, your business.

DevSecOps seeks to mitigate issues of these kind before they become an issue. In the past, traditional security approaches were typically quite slow and cumbersome. Worse, they were either introduced very late in the deployment process, or established only after a vulnerability was discovered in a shipped product. The primary goal of DevSecOps is to go beyond enemy lines, so to speak. It’s to find these vulnerabilities and encourage practitioners to build security processes and protocols throughout every stage of the development cycle – not introduce them after-the-fact.

Although it can take time to establish a fully-functioning DevSecOps team, and a cultural shift is more likely needed than not, the benefits outweigh the negatives. In the long run, it will reduce the cost of your security expenditure and minimize the chances of you falling victim to a cybersecurity incident. Just like DevOps, DevSecOps seeks to provide better results at greater speed, through collaboration, communication and a greater emphasis on operations and security. It is a mentality more than an actual practice, but that’s not to say there aren’t tools out there which can help you adopt the mindset more quickly.

New Call-to-action

Watch Our Webcast: Securing Continuous Delivery Pipelines

Suggested resource

Watch Our Webcast: Securing Continuous Delivery Pipelines
Webinar Watch

Watch Our Webcast: Securing Continuous Delivery Pipelines

Are you struggling to ensure the security of your continuous delivery pipeline? As technology advances so do the risks – learn how to gain control and mitigate vulnerabilities.

DevSecOps
ARA
DevOps
Back to the blog
Scott Willson

Scott Willson

Scott Willson is Product Marketing Director, Release Automation at Automic Software. He has over 20 years of technology experience that spans software development, pre-sales, post sales, and marketing. Scott is passionate about technology and helping business achieve value through technology and was leading DevOps at organizations before it was coined DevOps