DevSecOps needs to improve to grow adoption rates, maturity
Organizations are adding security processes and oversight to DevOps, but there's still work ahead to truly marry cybersecurity with DevOps and create a functioning DevSecOps.
DevOps is old news now. If your organization is doing cloud-native software development, DevOps is probably a given.
According to research from TechTarget's Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA):
- 37% of organizations are employing DevOps "extensively";
- 28% are doing so on a limited basis;
- 7% plan to employ DevOps in the next 12 to 24 months; and
- 12% are interested in doing so sometime in the future.
To me, a DevOps conversation isn't complete without broaching the subject of DevSecOps. DevSecOps combines application development, operations, infrastructure as code and cybersecurity within the continuous integration/continuous delivery (CI/CD) pipeline. It's all about automating and observing security throughout the software lifecycle. By aligning security, software development and IT operations, DevSecOps can improve security efficacy while reducing process friction.
Once again, organizations get it. The ESG/ISSA research indicated that 37% of organizations have incorporated security into DevOps processes extensively, and 33% have incorporated security into DevOps on a limited basis.
Future of DevOps and security integration
Most organizations are just getting started with DevSecOps, but the research hinted at more security and DevOps integration moving forward. This is an encouraging development but there's still work ahead. ISSA members participating in the survey were asked what their organization could do to improve DevSecOps. The research revealed the following:
- 63% of security professionals believe their DevSecOps program could be improved by providing security training to software developers and DevOps personnel. While 77% of organizations said they are increasing cloud and DevOps training for the security team, this recommendation indicates they may not be reciprocating with more security training for DevOps personnel and developers. A security-smart DevOps team could help infuse security into everyone and every activity.
- 50% of security professionals believe their DevSecOps program could be improved by making sure security stories are authored during the Agile software development process. Chalk this up to the software development version of "an ounce of prevention is worth a pound of cure." It's easier and cheaper to fix security flaws in development than production. Comprehensive, upfront threat modeling could be especially beneficial.
- 47% of security professionals believe their DevSecOps program could be improved by establishing consistent central policies to integrate security into DevOps. This may seem obvious, but it's difficult for large organizations with different development teams using different tools. The suggestion here is for documented best practices, with universal application, that don't slow things down.
- 42% of security professionals believe their DevSecOps program could be improved by supporting members of the security team pursuing cloud security training and certifications. This work has already started, but 70% of organizations claimed that cloud applications and infrastructure require new security skills. DevSecOps can't work if security participants are one -- or several -- steps behind developers. The Cloud Security Alliance and various SANS classes are great resources for cloud security education.
- 39% of security professionals believe their DevSecOps program could be improved by tasking developers with implementing security use cases. This could include security coding best practices, security checks on commits or designing security guardrails within CI/CD pipelines.
Altogether, these recommendations represent a lifecycle between establishing DevSecOps and maturing DevSecOps.
In 2011, Marc Andreessen penned a famous essay titled "Why Software is Eating the World." It suggested that trends such as digital transformation turn all organizations into software companies. Twelve years later, Andreessen's prediction has proven prescient. Unfortunately, it's not a stretch to say that insecure software is now eating the world. DevSecOps, with continuous improvement, gives us a fighting chance to level the playing field.