Information technology teams across all industries grappled with the emergence of the DevOps methodology in the early 2010s, breaking down the walls between coders and software maintenance staff in an effort to roll out more effective internal and external digital product. Today, DevOps team members account for more than one-quarter of the average IT department roster, according to research from the software firm Puppet. These talented professionals have improved software quality for approximately 63 percent of the businesses that have hired them, with some driving revenue increases as high as 19 percent, researchers for Puppet and CA Technologies revealed.
Despite the overwhelming success of the software development strategy, innovators within the IT space recently modernized the DevOps methodology to address an important concern among enterprises: data security. Hackers have orchestrated approximately 141 breaches this year, making off with more than 2 million sensitive files, according to the Identity Theft Resource Center. This activity is expected to pick up throughout the year, as cybercriminals harness the latest technology – including artificial intelligence software and augmented reality gear – to break into company servers, researchers for Experian reported. These developments follow more than a decade of digital threat intensification, an era that has prompted massive investment in data security infrastructure, an estimated 76 percent of which has gone toward programs aimed at shoring up application defenses, according to the SANS Institute. In addition to boosting IT budgets, technical stakeholders have returned to existing industry-standard workflows to retrofit them for the modern threat environment – DevOps chief among them.
This push to revitalize standing strategies has given way to DevSecOps, another innovative application development strategy meant to yield agile yet sturdy software.
DevSecOps in action
Like DevOps teams, DevSecOps groups leverage the experience and skills of cross-functional contributors to roll out internal and external programs that are built with data security in mind, meaning the resulting applications are secure from the code up, ZDNet reported. In most instances, highly-trained security professionals work alongside developers to ensure application frameworks are free of structural vulnerabilities. This strategy represents a significant shift, as data security was once considered a secondary concern among early DevOps professionals, who streamlined development activities as much as possible in an effort to facilitate optimal agility, according to the International Data Group.
"Application security was mostly an afterthought, and at times perceived as a roadblock to staying ahead of the competition," Pascal Greenens, a data security researcher for Radware, told IDG. "Given the reliance of applications to keep operations running, bypassing security must be considered a high-risk strategy – a distributed or permanent denial of service attack could easily catch you out. You just need to look at the implications of failing to update the Apache Struts framework as suffered by Equifax. The DevSecOps movement is designed to change this."
"DevSecOps groups leverage the experience and skills of cross-functional contributors to roll out that internal and external programs that are built with data security in mind."
In addition to simply strengthening application data security protections, DevSecOps teams implement automated backend controls that make it easier for administrators to oversee common defensive activities such as identity and access management, firewall development and threat analysis. This, of course, reduces that likelihood of major breaches, as vigilance is perhaps the most useful quality any modern IT security team can exhibit.
Businesses that have embraced DevSecOps strategies have seen demonstrable results. For example, enterprises with integrated application development and data security teams mitigate the impact of server intrusions within 92 days of discovery, on average, Ryan O'Leary, the chief security research officer for WhiteHat Security, told IDG. Those continuing to maintain internal barriers between these two groups complete this work over the course of 174 days. The same level of disparity exists when it comes to breach detection. Firms with active DevSecOps teams can uncover breaches within 51 days, while those without these groups routinely take 113 days. In short, the DevSecOps approach offers immense benefits.
Implementing DevSecOps strategy
How can organizations on the outside looking in reap the benefits that come along with this burgeoning application development strategy? Daniel Cuthbert, the head of global cybersecurity for Satander Bank, among the first adopters of the DevSecOps approach, told IDG businesses must first evaluate their existing agile workflows to see where data security could fit. He also stressed the collaborative element, explaining that enterprise IT stakeholders must work hard to cultivate buy-in among all the cross-functional players involved. Cuthbert touched on personnel, saying that businesses boarding the DevSecOps bandwagon should pinpoint invested leaders to manage implementation and look for the data security expertise needed to execute.
Unfortunately, many companies do not possess the talent needed to succeed with the DevSecOps approach in-house, according to research from the application security firm Veracode. This necessitates hiring from the outside or offering upskilling opportunities to current employees. Either way, businesses in need of DevSecOps contributors must focus on several key competencies when hiring or cultivating these key contributors, Dark Reading reported. The ability to communicate is perhaps the most important skill for data security professionals collaborating with developers and other product stakeholders in the context of DevSecOps. There can be considerable friction in these setups, as a majority of coders consider security compliance a roadblock to productivity. Executives are likely to embrace a similar attitude because, in their minds, slower processes inhibit growth and shrink profit margins. In actuality, pragmatic data security processes do the opposite, reducing the risk of costly breaches. With these challenges in play, DevSecOps security personnel must leverage their communication skills to facilitate collaboration and articulate the value of structurally sound code.
Data security experts must also focus on developing and continually communicating well-crafted security standards via hands-on methods. This sort of transparency makes it easy to set expectations during the application development process, accelerating on-the-ground workflows and reducing time-to-market and risk.
"DevSecOps security personnel must leverage their communication skills to facilitate collaboration and articulate the value of structurally sound code."
"Most security organizations do a horrible job in articulating their expectations and just throw around best practices and National Institute of Standards and Technology standards," data security expert Michele Chubirka told Dark Reading. "Sit in scrum teams and provide feedback. Teach them to threat model and implement standard questionnaires that can assist with this."
In addition to sourcing qualified staff, organizations pursuing DevSecOps strategies must find capable backend solutions partners that bolster data-security infused application development efforts, according to the SANS Institute. Today, this means developing relationships with cloud providers and other vendors supporting the Infrastructure-as-a-Service model. It also requires collaborating with technology providers that create the tools modern developers need to craft sound internal and external products.
Contact us today or review our extensive product catalog to see how Inventu can help DevSecOps personnel infuse world-class security protocols into agile workflows.