We all want to make the headlines, but only for the right reasons; DevSecOps may be the key to achieving just that. There are countless companies out there striving to become press darlings and be dubbed the “Airbnb of XXX” or the "next Uber." But there’s a reason why digital disruptors like Facebook, Netflix, and Lemonade are called unicorns: because they’re few and far between. For enterprises taking tentative steps toward digital transformation, the likelihood is they may find themselves in the headlines for the wrong reasons – their security.
Security breaches and leaks are seemingly becoming more and more commonplace in the interconnected world of today. Spend five minutes googling "data+breach" and flick through the top stories listed – the chances are there’s been at least one incident reported today; another firm falling afoul of data security protocols and finding itself in hot water. Over the last few years, companies of all sizes have experienced major data leaks; from restaurant-discovery company, Zomato, to "pay-day" loan provider, Wonga, and even major international corporations including Yahoo and LinkedIn. And most worryingly, the size and scope of each new breach seem to outstrip the last.
Clearly, security threats are increasing and it’s becoming a challenge to keep up.
Moreover, there are some distressing statistics to be found. According to Insurance Business Magazine, more than 31% of small businesses are unable to sustain their operations for more than a week after being hit by a cyber-attack. Compounding this, approximately 62% of all cyber-attacks target smaller businesses. For those startups looking to become the next Uber, it seems the odds may just be stacked against them, unless they’re one of the increasing number of organizations adopting a DevSecOps mindset.
DevSecOps and Why It Matters
The basic principles of Developer-Security-Operations (DevSecOps) couldn’t be clearer and are built upon the idea that “everyone [in the software development life cycle] is responsible for security.”
While that may seem like an obvious statement, historically it hasn’t always been the case. Primarily because developers haven’t been overly concerned with the security of an application; their focus has been on functionality. DevSecOps, though, seeks to change this mindset and eradicate these issues entirely. And it’s increasingly vital, because as applications have become more complicated and advanced, so have the security issues they are faced with.
As well we all know, a major part of DevOps is how applications are deployed and monitored, and automation plays a big part in this process. But, if not observed properly, this automation which enables us to move faster than ever before, without compromising quality, may actually be introducing vulnerabilities.
Think of the access and permissions granted to automation agents or bots. They’re regularly given administrator level access, but how often are those privileges checked? Once the bot has made its environmental change, does it still require that administrator level access, or are you succumbing to privilege creep? Remember, for every administrator account you have, your level of vulnerability increases exponentially – each account is a potential backdoor to your system, and therefore, your business.
DevSecOps seeks to mitigate issues of this kind before they become an issue. In the past, traditional security approaches were typically quite slow and cumbersome. Worse, they were either introduced very late in the deployment process, or established only after a vulnerability was discovered in a shipped product. The primary goal of DevSecOps is to go beyond enemy lines, so to speak. It’s to find these vulnerabilities and encourage practitioners to build security processes and protocols throughout every stage of the development cycle – not introduce them after-the-fact.
Although it can take time to establish a fully-functioning DevSecOps team, and a cultural shift is more likely needed than not, the benefits outweigh the negatives. In the long run, it will reduce the cost of your security expenditure and minimize the chances of you falling victim to a cyber security incident. Just like DevOps, DevSecOps seeks to provide better results at greater speed, through collaboration, communication and a greater emphasis on operations and security. It is a mentality more than an actual practice, but that’s not to say there aren’t tools out there which can help you adopt the mindset more quickly.