Companies are adopting development security operations (DevSecOps) for several important reasons: to deliver value faster, to gain an advantage, to low the cost of security for clients, and more. Despite people rushing to adoption, companies will sometimes fail with their DevSecOps initiatives – and the sad part is that a lot of those reasons are easily avoidable. So, allow me to give an idea of the ones which I have seen the most from people.
A lot of companies have the idea of they can just buy DevSecOps. As an example, "If we add CI/CD pipelines, we are doing DevSecOps." This is not exactly right at all.
Development Security Operations (DevSecOps) is a commonplace methodology. It's facilitated through people, processes, and technology – with the first two being even more important than the last one. Without having a culture in a company that is aligned with agile and DevSecOps principles – it is very unlikely that people will see the implementation to maturity.
The same can be said for failing to update and implement new company processes that follow said principles and practices. Companies that force old operating models into modern technologies and practices will simply lead to confusion, inefficiency, and frustration across the whole company. This will be seen among the teams striving to facilitate DevSecOps and the leadership trying to achieve a successful implementation.
You also have to remember that implementation of a DevSecOps environment is no easy task at all. With that being said, when it's done correctly, it can reap tremendous benefits for companies who can pull it off. A good implementation can mitigate exploits and vulnerabilities faster, cheaper, and far more efficiently than old traditional methods have in the past.
Weak Security Culture
Organizations, companies, and enterprises – including the overall industry – are lacking security professionals right now. The ISC2 2020 Cybersecurity Workforce study identified a shortage of a little over 3 million cybersecurity professionals.
Cybersecurity Professionals are outnumbered dramatically for companies and enterprises compared to their developmental and operational counterparts. It is also a reality that developers are in a position to mitigate security concerns earlier in the software development lifecycle (SDLC) – also the operational teams are supposed to identify anomalies – so it is a team effort to fix these issues.
Establishing a good security culture starts with the realization that security is everyone's responsibility that is involved – that means from developers and operations people. Strong communication and awareness about security can go a long way. Security Teams and Staff must shift from just being seen as "No" people and more viewed as a partner that can help achieve outcomes. This is while integrating key security practices throughout all and any endeavors.
Learning Culture is a Must
A recent report from McKinsey identified that talent and cultural issues pose the greatest challenge to technology transformations. This also includes Development Security Operations (DevSecOps). Companies that emphasize lifetime learning in their company will usually be successful with DevSecOps. The important work “The DevOps Handbook” emphasizes that to be successful with DevSecOps and building on the success of high-performing companies, a learning culture is the main key.
This is facilitated through daily learning, reserving time for company learning and improvement, and concentrated investment in upskilling the workforce. This can be accomplished with investments in learning subscriptions, tuition assistance, and certification reimbursement.
The increasing pace of digital transformations and innovations is spurring rapid growth of the cloud-native landscape more and more each year. This type of growth is providing a vast and rich selection of tools and applications to help achieve the goals of companies doing DevSecOps. However, at the same time, that rapid creation of tools also creates a more complex and disjointed environment for many companies. Look no further than the most recent Cloud Native Computing Foundation (CNCF) landscape to get an idea of how diverse this landscape is becoming.
Companies are running into challenges around visibility and productivity due to the toolchain sprawl. They are also seeking to embrace toolchain management options to get a handle on the sprawl and the associated inefficiencies it is causing.
These issues are not solely isolated just to DevOps alone. Cybersecurity is also encountering its issues and challenges associated with tool sprawl. The 2020 Cloud Security Alliance (CSA) “Cloud-Based Intelligent Ecosystems” findings show that most companies and enterprises are struggling with identifying how well their security tooling is working at all or just working – and or if their teams are struggling to even keep up with the tools in their environments.
In a super rapid, dynamic, and evolving Information Technology (IT) ecosystem as we find ourselves in – in the last decade if not two years now – tool sprawl and fragmentation are the real threats to good security. They are impacting visibility, productivity, and most importantly, security. Threats continue to proliferate and if your companies and enterprises are lacking real visibility and control – you are most defiantly at risk – and the worst part is that you do not even know it.
From my experience, there's usually an often unspoken, but widely recognized tension between development and security teams respectfully. Both teams need to be building on the need for learning, cross-functional education must be pursued as part of a broader imperative to break down and relieve those tensions.
In the 2020 FOSS Contributor Survey – conducted by The Linux Foundation and Harvard’s Laboratory for Innovation Science – it was found that the average free and open-source software (FOSS) developer spends only about two percent of their time improving the security of the code. I've heard the term “soul-withering” to describe secure coding and security from developers.
In a time where companies and enterprises are looking to shift security first – meaning that developers are in a prime position to mitigate security vulnerabilities before commits and product promotion. They need to understand the overall value of secure coding and be incentivized to pursue it.
On the other side of the coin, I am seeing environments where more and more company resources becoming digital – which is being turned into more and more code. From application code, infrastructure-as-code (IAC), and/or compliance-as-code, Kubernetes manifests and continuous integration/continuous delivery (CI/CD) pipeline YAML templates -- code is everywhere now.
In my personal opinion, Security Professionals do not need to be the utmost excellent developers – but they should have a good understanding of coding practices at a semi-high level and be able to review templates for common misconfigurations, exploits, and vulnerabilities. This would greatly improve the collaboration and common grounds between the two groups drastically.