“By Kharnagy (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia Commons”
By Jake Kaldenbaugh
One of the more interesting areas in DevOps that we see at GrowthPoint is what we are calling DevSecOps. While market participants are very familiar with the term, it seems that the larger market is still waking up to the concept and understanding the value it can bring to the larger DevOps movement. The second question indicated above is probably pretty obvious once we agree on a definition, but we will dig into some of the friction which has held the market back to date.
First, let’s start with DevSecOps. Given that we have a simple and high-level definition of DevOps, it will not surprise you to learn that we have one for DevSecOps as well. We believe that DevSecOps represents those methodologies, technologies, tools and cultural shifts that more deeply knit security best practices into the modern development workflow (and toolchain). Yes, this definition is broad and somewhat abstract, but it enables professionals in many different types of organizations to apply the core concept to however they are addressing development today. More importantly, it allows them to get the primary benefit, which is improving their state from whatever position it sits now to a better position in the future. This comes from an “incrementalism” philosophy that making progress is more important than perfecting the approach.
I also like the approach proposed by Shannon Lietz that “The purpose and intent of DevSecOps is to build on the mindset that ‘everyone is responsible for security’” as I think it gets at the role that the developer and dev teams play in security within modern development contexts. However, I am not sure that defining it as “Security as Code” (to dramatically simplify DevSecOps.org’s Manifesto), is as helpful as it ignores that this has organizational and methodology requirements to be successful. Security as Code feels like the Security’s world attempt at trying to interface with the Developer world and potentially not reaching the mark.
Why is DevSecOps important?
We are not going to belabor the context that is driving interest in improving security techniques in the development process. I would be curious to know if there is anyone who does not understand that application security is of paramount importance today. The level of attacks on critical applications has reached a crisis level and it can be argued that it is negligent to not incorporate modern best practices and platforms that can dramatically improve an application’s security profile. The question is more of “how” than it is “whether” or “why”.
So why has the market been so latent in developing to date?
When talking to market participants over the last few years, there has been a sense of, “Yes, everyone agrees it’s important, but it’s still a long sales cycle and not as automatic of a sale as it would seem.” Which is surprising on the face of it given the context above. However, there are a couple of market frictions that we believe are being worn away which makes DevSecOps a segment that we believe will accelerate rapidly over the next few years.
First, Silicon Valley and Web Native companies have prioritized speed at almost any cost in the past. And given that they originated and are driving many of the DevOps techniques, their lack of leadership and prioritization of security has not supported overall visibility of the DevSecOps trend. However, there are signs that this changing with the overall culture of startups as they are being asked to be more mature in a number of dimensions. From a bottoms-up perspective, the very real impact that Yahoo!’s recent security problems had on their exit valuation to AOL will force investors to increasingly ask: “If I am investing in a digital business model, how much of my investment is at risk by not weaving security into the development lifecycle?”
Second, in some parts of the market there is still a reticence by some developer teams to embrace full-fledged DevSecOps because it can slow down the development process. Bringing to light extensive lists of vulnerabilities puts developers into a very uncomfortable position. If these lists are massive and unprioritized development organizations are faced with either delaying application launch until all vulnerabilities are remediated or launching with a known vulnerability posture. This is clearly a core tension that all market participants need to navigate and mitigate. Clearly, providing strong prioritization and efficient mitigation is part of the path forward. In face many of the modern, leading solutions in the market today are addressing this and finding ways to work around this as evidenced by growing adoption patterns.
Lastly, at GrowthPoint we are seeing signs that security issues are breaking into the overall developer priority list. Most recently, CA’s acquisition of Veracode and Synopsys’ acquisition of Cigital and Codiscope illustrates that major vendors believe in the opportunity to bake security into existing development lifecycles. These are companies that would not be making these investments if they hadn’t seen significant demand from their customers for DevSecOps solutions. And as companies knit-together modern, next-generation application platforms around containers, microservices and APIs, we see a host of interesting startups that dramatically improve application and data security profiles from the start.
What are keys to DevSecOps success?
Assuming customers are bought into the concept of adopting technologies and platforms and are willing to make the required changes to their development processes, what are some other considerations that customers should keep in mind as they build out DevSecOps capabilities?
First, they should adopt approaches and tools that deliver value for the developer. If the security tool only identifies a long list of vulnerabilities, it is going to compete against the developer’s goal of delivering innovation quickly to the business and that’s not a good position to be in. If the tool can understand the application context, identify a short-list of the highest priority vulnerabilities and offer legitimate and easy-to-deploy remedies, this will align them with our definition of DevOps: Methods, Tools and Platforms that Accelerate Development while simultaneously improving quality (which, in this case, is a better security profile). And more broadly, for the security practitioners and organizations who are being drawn into a DevSecOps environment, adopting a culture that is “developer-centric” versus “security-centric” will be valuable too. This will be difficult because Security and Development are both leading functions within all major software-centric businesses today. There will be political and cultural battles (similar to ones between Development and Operations) that need to be sorted out. Additionally, there are signs that Security brings significant amount bureaucratic overhead in terms of their models, maps and methods. These approaches will need to be right-sized to work within fast-moving innovation and development contexts. It will be interesting to watch how this dynamic continues to evolve going forward.
Second, the one constant for security threat vectors is change. Tools and platforms must be able to adapt the constantly shifting threat landscape and ensure that the value they deliver will continue into the future. Whether they do this through using constantly updating threat libraries or self-learning/AI techniques, having the ability to shift as adversaries morph their strategies will be vital.
But these issues will be sorted out. There is too much opportunity to evolve the modern development process and dramatically improve the security profile of their output. And given the acceleration of DevOps adoption, this provides a critical window optimize for our current threat-laden landscape.
At GrowthPoint Technology Partners, we are committed to supporting the companies that are aggressively advancing this agenda and helping them realize strategic value at the right time. If you have any questions about DevOps and DevSecOps, feel free to reach out for a discussion.