Why enterprises need to make the shift to DevSecOps now [Q&A]
Many enterprises have adopted DevOps practices in order to streamline their development. But security is all too often treated as an afterthought.
There is of course a way around this which is to integrate security into the DevOps pipeline, in other words move to DevSecOps.
We talked to Bill Mann, CEO at Styra to find out why he thinks enterprises must now shift from DevOps to DevSecOps, especially as we move toward a more cloud-native ecosystem.
BN: How would you define DevSecOps, how does it differ from DevOps?
BM: DevOps focuses on application team collaboration throughout an app's development and deployment process. The aim of this is to have faster deployments, fewer failures and speedier recoveries. Doing this allows organizations to provide better products that are adaptable.
But finding a balance between agility and security can be a fine line, and the DevOps model does not always adequately address security concerns. DevSecOps addresses security at the beginning of the software delivery lifecycle versus at the end, and aims to find where security can fit in at each step of the development process. Security is no longer an afterthought as DevSecOps integrates the management of security from start to finish. Creating code with security in mind helps with mitigating risk errors and making deployment initiatives easier to implement.
BN: Why have enterprises been slow to adopt DevSecOps?
BM: Traditionally, many businesses think of security as an afterthought -- plus the actual technology is perimeter based. Since DevSecOps is forcing a reframing of the process around security -- for example, inserting security at different steps in the process -- we know from other areas that process shifts take longer. DevSecOps requires teams to reframe their approach to development, which can seem like a large lift. However, the benefits of making the shift certainly outweigh the costs. Especially as security concerns continue to grow.
BN: Does adopting DevSecOps require a shift in mindset?
BM: I would say that adopting DevSecOps does require a shift in mindset as well as a shift in organizational culture. By giving security architects a louder voice in the organization as well as giving them more responsibility from the start, the company can more easily make this seamless transition. From there, it is important for leadership to listen to these architects. By opening up communication, the organization can better understand the challenges that teams face and pinpoint where security can either be built into a platform more broadly or where it must be specific to the individual services. Doing this will empower the security architects and allow the organization to adopt a DevSecOps culture.
BN: Has the pandemic made the shift to this model more important?
BM: The pandemic prompted more enterprises to expand their digital presence and many companies moved to cloud and cloud-native applications in order to continue operations remotely. In parallel to this, having application developers working from home means that the software development life cycle has to be more strongly followed to ensure alignment.
Additionally, there's the complex nature of modern applications -- composed of multiple microservices, housed in containers -- and then there's the dynamic nature of platforms like Kubernetes, running those applications. Change is constant, and while cloud-native means deploying and managing these applications more quickly and with more automation than ever before, it also introduces new risks and challenges.
All of these complexities have resulted in DevSecOps being added by companies to manage the risk.
BN: What are the things businesses need to consider when adopting DevSecOps?
BM: When adopting DevSecOps, organizations want to have better alignment among teams and to reduce silos. However, the current work from home environment can make this challenging if employees are used to in-person environments. Businesses will have to consider how to best connect teams virtually so that they can seamlessly operate as a cohesive unit.
Additionally, businesses need to consider how this adoption will impact their traditional processes and timelines. Many development teams are used to creating quick updates to apps and shipping them out. But, adequately addressing security concerns throughout the development process takes time and might slow down to-market times. This adjustment must be considered to ensure teams have time to work together and reduce stress around rapid deadlines.
Right now, we are observing businesses giving more weight to architects to define and evangelize these changes across app development, security and ops teams.