In its predictions for 2018, Forrester Research says this will be the year of enterprise DevOps. However, the tremendous innovation that DevOps has unlocked by speeding up the software development lifecycle (SDLC) has also undermined traditional approaches to AppSec. As more organizations embrace DevOps to accelerate application delivery, automation will be needed to limit the security risks inherent within the divide between the security and development teams’ processes.
The emergence of DevSecOps has mostly been theoretical and often met with skepticism about slowing the pace of releases down. First, there is often push back from app developer teams because security reviews can delay deployment and security tools create the “noise” of false positives for app developers. Second, traditional security tools were typically built to protect applications from the outside-in: They rely on human knowledge to understand how the application works. With the right tools, good DevSecOps can, in fact, speed up the SDLC by removing manual processes.
Enterprises must learn to embrace integrating DevOps, security and development as a fundamental part of their business cultures. However, that must be accompanied by the change in mentalities about what application security means. Rather than bolting on security in individual and manual steps that are inherently siloed, modern DevSecOps requires fully automating “security as code” baked into the CI/CD process with a full understanding of both the development and production cycles.
Security, DevOps and development teams will need a common security foundation that seamlessly integrates with all tools and processes across each team. Creating such a foundation will enable insight into the very building blocks of how sensitive data is both supposed to flow through microservices, open source libraries and external APIs, and what is actually happening in production.
Furthermore, by understanding both what the application is supposed to do and what it is actually doing, CISOs can drive virtuous feedback loops. Runtime protection can be driven by development insights that is both comprehensive and precise. Development informed by production analytics can prioritize which code weaknesses to address.
To achieve this continuous improvement loop, companies must work to break down traditional work silos that exist because of a mismatch in expectations. App developers, measured for speed, need to receive security information accurately, early, and with sufficient context to correct problems during software development. Security pros can similarly benefit by extending their knowledge deeper into the dev cycle to understand the code at its DNA level. Only by truly understanding the code, can runtime protection be both comprehensive and precise.
Making this a reality requires an enormous cultural shift. And culture, like aircraft carriers, does not change directions quickly. It’s not that traditional AppSec approaches have no value today. The problem is that traditional approaches are too slow and too imprecise, which is why they are increasingly less effective as organizations embrace modern CI/CD. Good luck building a culture in which every developer and security engineer thoroughly inspects every alert that comes their way.
Rather than fighting the tide, DevSecOps must surf the wave. They must embrace the speed of modern CI/CD and make everyone’s job easier by building automated security into the SDLC. This means automating run-time protection that is informed by build-time code analysis rather than using approaches that rely on manual intervention. Just as the DevOps movement is based on turning infrastructure into code, for 2018 to be the year that DevSecOps takes off, organizations must learn to automate security as code.
Feature image via Pixabay.