DevSecOps: Yesterday, Today and The Future
The concept of DevSecOps is getting a lot of play these days — and for good reason. As organizations’ DevOps seek to boost their rates of deployments and updates at cadences unheard of just a few years ago, the risk of vulnerabilities can often increase at the same rate in theory. While it doesn’t have to be this way, of course, some organizations struggle with remediating vulnerabilities long after the software has been deployed, not only causing major potential headaches when breaches occur (think Equifax), but causing additional pain when developers must reconfigure code again, and in extreme cases, reinvent the wheel.
The solution, of course, is for security teams to become vested in code development at the very beginning of the production cycle. This is what agile DevOps teams are supposed to do anyway, but many organizations have not implemented the necessary culture, tools and processes to do this. After years of existing as a concept, DevSecOps formalizes the often missing security links in development processes today.
In this edition of The New Stack Makers podcast, we discuss DevSecOps evolution and why it is so vital today. The guests, selected for their first-hand experience with DevSecOps, were:
- Rohit Gupta, global segment leader, security, for Amazon Web Services (AWS).
- Cindy Blake, security advocate, for GitLab.
- Shaan Mulchandani, AWS security practice, for Accenture.
The New Stack Publisher Alex Williams hosted this episode.
As mentioned above, DevSecOps has existed since the early days of DevOps. A few years ago, organizations began to realize how “cheaper” it was “to find and fix vulnerabilities very early in the lifecycle,” Blake said. “The impact of fixing vulnerabilities late in the lifecycle was kind of the first step where people started thinking about shifting left a bit,” Blake said.
“It’s easy to think about the barriers, but [“The Phoenix Project] really got you thinking along the lines of what is possible — DevOps, in general, is a much more collaborative approach. And so when you think about shifting left, it really becomes an enabler or a potential enabler,” Blake said. “You’ve got tools and automation that can come into play there as well. And so together, you’ve got people, processes and technology that really align with the DevOps methodology — and I think that that’s the impetus for this.”
A potential impetus to shifting security to the left in the development process is how security processes have unfairly been seen as potential speed bumps to rapid development and deployments. “It’s almost been unfortunate at times about security sometimes getting a bad rap as the inhibitor versus a catalyst or as a value creator simply because it’s been brought in at the end,” Mulchandani said.
Today, as containers and serverless environments are increasingly seen as catalysts for faster deployments while representing cost-savings opportunities, DevSecOps is a critical component in the process. “Specifically, from a security perspective, I think we are heavily engaged up front in the design phase, Mulchandani said.
DevSecOps is part of a larger trend of moving development and operations to the cloud. “Customers are moving to modern sort of models of deployment. Containers and serverless, are two examples,” Gupta said. “What we’re finding is that some of the capabilities that we are being asked to really help drive that security into the development lifecycle is by building into the continuous integration frameworks. So we have done a lot of work around helping companies build faster, deploy faster and figure out problems faster — and really take remediation action faster.”
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event, for a full day of discussions about cloud native security — brought to you online wherever you may be.