Shifting Security Left: 3 DevSecOps Challenges and How to Overcome Them

DZone 's Guide to

Shifting Security Left: 3 DevSecOps Challenges and How to Overcome Them

Security is often ignored by DevOps in favor of speed, but security is important. These DevSecOps tips will help you maintain quality and speed.

· DevOps Zone ·
Free Resource

Software organizations are under tremendous pressure to deliver innovative products and ship updates fast. To keep up with the competitive and ever-rapid release schedule, many software teams are adopting the DevOps model for its increased efficiency and agility.

Companies that are required to innovate and stick to tight release timelines are learning that a well-planned DevOps cycle, integrated into the application development process, can help them stay on schedule without compromising quality for slower manual testing and bug fixing that would traditionally come at the end of the process.

Is DevOps’ Need for Speed Leaving Security in the Dust?

While organizations continue to adopt, expand, and perfect their DevOps game, malicious attacks on application layers are on the rise, and it seems like almost every day brings news of yet another data breach in an organization. Enterprises are coming to realize that while DevOps tools and processes are great for staying innovative within tight release timelines, the risks of slack security remain real, immediate, and extremely costly. This puts DevOps outfits under pressure to implement stronger and smarter security measures.

Security: Too Slow to Join the DevOps Squad?

Incorporating security into the DevOps cycle is a relatively new approach, and up until recently, not many people thought it was a good fit. Even security experts point out that incorporating security people into the development lifecycle can be challenging.

Security expert Michele Chubirka says in her blog that, “While many security people have a good understanding of how to find application vulnerabilities and exploit them, they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program.”

This led to a situation where the security team was essentially out of the picture, unable to have a real impact on the final product in an efficient manner.

DevSecOps: Where DevOps and Security Can Play Nice

Over the past few years, more and more enterprises and organizations are making a concerted effort to shift security practices left and incorporate them into the DevOps cycle, ensuring that security doesn’t impede time to market. According to recent DigiCert research, organizations are already invested in incorporating security with DevOps. Research results show that 49% of the organizations surveyed said that they are in the process of integrating security with DevOps, and that another 49% said that they already completed their integration.

Ensuring a Smooth Ride: 3 DevSecOps Barriers & How to Overcome Them

Change is never easy for an organization, and incorporating security into the DevOps cycle is quite a transition on many levels. Teams and experts need to adjust themselves to a new organizational structure, new processes need to be adopted, new skills need to be developed, and new tools need to be integrated. As companies continue to adopt the DevSecOps approach, they should be aware of the common challenges management teams face as they set out on this journey.

Here are a few barriers organizations face on the road to ensuring security throughout an efficient and innovative DevSecOps cycle:

#1 Teamwork Makes the Dream Work

Adopting a DevSecOps approach requires teams and experts that aren’t used to working together to cooperate, creating and maintaining a development lifecycle that delivers quickly and securely.

This requires all players (we’re looking at you developers, operations, and security professionals) to respect the expertise that their counterparts bring to the table, and learn how to work together to ensure the process and end product are up to everyone’s standards.

It’s up to all stakeholders in the organization to ensure this transition succeeds, because when it does, the sum of the DevSecOps cycle will prove greater than its individual parts.

#2 Security Knowledge Is Power

It’s hard to build a strong DevSecOps outfit without the (Sec)urity.

As organizations are learning that security requires just as much expert manpower as infrastructure and quality, the cybersecurity skills gap is becoming a real issue. Some experts predict that by 2019, there will be a shortage of 2 million cybersecurity professionals.

How can you make sure that your DevSecOps teams are proficient in security?

IBM Security General Manager Marc van Zadelhoff recommends “[Creating security] roles that prioritize skills, knowledge, and willingness to learn over degrees and the career fields that gave people their initial work experience.” Van Zadelhoff says many of IBM’s successful new hires “were curious about security and motivated to learn the skills.”

If organizations innovate their approach to hiring security personnel, they will most probably gain ambitious, motivated professionals that are willing to roll up their sleeves and think out of the box.

#3 Automate Much?

Speaking of thinking outside of the box, the old-school, waterfall security practices typically began very late in the product lifecycle. This approach is at odds with the agile DevSecOps process. If organizations really want to embed security throughout their DevOps cycle, application security tools are required.

Using continuous automation tools throughout integration and deployment will help boost security, quality, and even compliance. Organizations need to seriously address the fact that today, most of their code is 3rd party, and insist on good code hygiene from the start of development and throughout the DevSecOps cycle.

Integrating technologies like Software Composition Analysis tools early into their processes will help DevSecOps teams to ensure the products that they are delivering are as risk-free as possible.

DevSecOps: Shifting Security Left

Organizations don’t need to choose between security, innovation, and speed as the DevSecOps approach allows them to have their cake and eat it, too. They just need to remember the basic ingredients of automation, innovation, and cooperation.

devops ,devsecops ,open source ,security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}