Putting the “sec” in DevSecOps: An overall reduction of risk

In this Help Net Security interview, Cindy Blake, Senior Security Evangelist at GitLab, talks about the importance of integrating security in DevSecOps and how to overcome the complexity of such integration.

Security in DevOps is often being neglected. Why do you think this is the case?

According to GitLab’s 2021 Global DevSecOps Survey, over three-quarters of respondents continue to think developers find too few bugs too late in the software development life cycle (SDLC). The complexity of integrating security is one of the biggest challenges facing DevOps today. This is because iterative development workflows can make security a release bottleneck, so it is neglected altogether. In addition, most organizations don’t have enough security practitioners to test all of their code. As a result, security is often addressed last — or even completely left out — of the DevOps flow.

As is the case for most businesses, the pace of innovation needs to be greater than or equal to competitors to outpace them and, ultimately, succeed. The faster that features can be released and enjoyed by users, the sooner businesses can generate revenue from that code — and the reality is that security must be a part of that to be successful.

The good news is many organizations have shifted security left, or at least started on their journey, in an effort to improve development velocity while also managing security risks — in fact, the survey also found that 35.9% develop software using DevSecOps, (where security is integrated into development) as compared to only 27% in 2020. While security has been traditionally neglected, organizations are beginning to value the importance of security in their DevOps processes. The newest challenge is complexity of that integration when using incumbent tools.

Is there a way to overcome the complexity of integrating security in DevSecOps?

When making the case for DevSecOps, or any new technology strategy, IT leaders need to be convinced that adopting new tools or processes will be worthwhile in the long run. Shifting to DevSecOps requires an investment in time and resources that can sometimes take years. This is a real challenge that prevents organizations from putting the “sec” in their DevSecOps processes sooner.

The best way to bring security into the development process is by using a tool that allows developers to stay in the same platform or interface they’re already using to commit, scan, and ship code to production. This makes the security process automatic and seamless every time there is a code update. In addition, it is critical that organizations start small. You don’t need to completely change your infrastructure to move things forward. Starting small with one team or one project is often the most successful way to implement change. Having an integrated platform approach can then help you scale more quickly.

How can DevSecOps benefit businesses?

In today’s evolving threat landscape, and especially with the uptick in software supply chain cyberattacks we’ve seen, it’s not enough to just find and fix security vulnerabilities earlier in the software development life cycle.

Proper DevSecOps will ultimately improve simplicity, provide earlier visibility, and give greater control over the security of the end-to-end SDLC. Building security into the entire DevOps pipeline is key for agility, advancement, and protection, and ultimately will save businesses time, money, and resources when done right.

How important is DevSecOps for the CI/CD pipeline?

DevSecOps integrates security controls and best practices into the DevOps workflow through CI/CD pipelines. These pipelines are akin to an assembly line for the software factory. As more teams try to shift left, automated security testing within the pipelines streamlines adoption and scalability while improving consistency.

Teams that adopt a DevSecOps strategy will not only develop better, faster software, but will also improve business outcomes, identify bugs, and catch vulnerabilities before they ever reach users.

You say built-in security will be a prerequisite. Can you explain why?

Built-in security has become a prerequisite to not only automate a comprehensive security scanning process, but also automate the policies and actions taken when exceptions are found. Consistently applying policies to your CI/CD pipelines ensures better security and regulatory compliance – without added work. As more and more organizations are understanding both the efficiencies and improved security of DevSecOps, this strategy will continue to increase in 2022.

The benefits of strong DevSecOps are clear — and the “sec” in DevSecOps will be more important than ever before as organizations realize the benefits with fewer vulnerabilities, faster deployments, less time spent in corrective actions, and an overall reduction of risk.