DevOps or DevSecOps?

Currently, security attacks are getting more sophisticated and targeting a wider array of system components. This makes preventing and recovering from them more difficult especially when security knowledge and responsibilities are siloed within an organization. It is increasingly more important to ensure that everyone in an organization has a stake in security and that the company’s experts integrate more deeply with other teams. Many companies claim to make security a pillar of culture, but rarely do they invest in more than the occasional training. To truly make security a fundamental pillar, it must be embedded deeper within the organization’s engineering teams and software development life cycles (SDLCs). The latest trend in operationalizing security within tech organizations is the melding of DevOps and security professionals into a joint DevSecOps team and bringing automation, along the domain of quality assurance, into the security toolset to further reduce risk.

Experienced DevOps professionals have long understood their responsibility for keeping tabs on the security risks in their purview, but in many organizations they don’t necessarily have the tools or backing to delve more broadly into security. Often team members have I-shaped skillsets and responsibility areas and their window of involvement in security are kept very narrow and strictly within the operational activities of their team. This makes operationalizing security across the organization much more difficult. This is especially true in larger organizations where the collaboration barriers between teams and departments are more rigid and having security personnel siloed is itself a vulnerability. When security is only a small sliver of individual or team responsibilities, issues are found much later in the process and the risk level and cost of remediation rises.

This is mitigated by embedding security within other teams in the organization. Lately, the trend towards blended DevSecOps teams with broader security oversight helps address the challenges organizations face by removing the silos and barriers of collaboration within this area of the organization. This allows security to be shifted within company workflows facilitating discovery and mitigation of risks and vulnerabilities. It acknowledges the scenario that the later a vulnerability is discovered, timely remediation, spent effort and risk exposure are more costly. Ensuring security guardrails are in place earlier in the development cycle reduces the cost of security and compliance programs and reduces the likelihood of high risk issues making it to production without  a mitigation strategy.

A lot of companies claim security is everyone’s job. But often the culture of security ends at annual anti-phishing trainings and/or the occasional confidentiality discussion. Embedding security experts into teams like DevOps and ensuring experts are hired with enough security knowledge in their toolbox brings it deeper into the company’s culture. Once planted, those roots will grow. In many cases converting to the DevSecOps model will be mostly painless. The actual team process will largely stay the same regardless of the development model the team is using although this shift is especially effective in agile organizations. Workloads should also remain stable—if not decrease—as the time is no longer spent on fixing vulnerabilities in production.

While putting security experts in roles on a DevOps team is a start, it is ever more important to hire DevOps engineers with T-shaped skillsets. While they may not be deep experts, the critical part is that they have security and compliance skills in their repertoires. Their primary duties day-to-day may not be security focused, however in their work with other teams, their security consciousness and conscientiousness will rub off. and spread. They will find issues earlier in the pipeline and the teams they work with will will learn from them and gain the knowledge to spot and even prevent issues. They bring a concern for security standards into their interactions with other engineering teams and over time they help transform the overall culture of engineering into one that is more security conscious.

Automation also plays a key role in risk reduction. Much like automating tests to find bugs earlier, shifting security monitoring left and automating vulnerability-checks and adherence to security policies will save additional effort and money later down the line. While shifting to this DevSecOps model reduces risk, relying on manual processes only goes so far. Automation reduces the human element and the chance something will be overlooked. Properly designed automation tools shift the possibility of human error even further to where it is very easy to remediate. Having skilled DevOps engineers with security experience who can automate these activities pays off.

In addition, team empowerment is incredibly important. By shifting activities left and automating, risk can be reduced incredibly. However, it’s impossible to completely negate it. It’s critical for teams to be empowered to speak up and have proper ways to report any issues found. Making the changes to bring security into DevOps and automate the process mentioned will go a long way towards building the culture of security consciousness that is needed for this. Embedding security deeper in teams and making it part of their daily workflows and conversations shows employees that the company prioritizes security in their operations and cares about vigilance and conscientious reporting.

Adding security consciousness to the DevOps services available to the rest of the company will ensure that risks are considered earlier in the pipeline. This saves companies time and money in remediating those risks and will come at little to no cost to team workflows and velocities. Automation further reduces risk by shifting security even farther in the process and it reduces the risk of human error. These changes also make security a deeper part of company culture. Disseminating knowledge—and attention to the details related to security to the teams and employees with whom DevOps works closely—empowers the entire organization to make security a priority. Vulnerabilities and compliance issues will be found much earlier in the process reducing the cost of fixing them and the risk of production incidents.

Source: ibm.com