By Jenna Bunnell – Senior Manager, Content Marketing, Dialpad
With 53% of businesses saying it’s likely their enterprise will experience a cyberattack in the next 12 months, cybersecurity has never been more important.
Software development companies can’t afford to release vulnerable products – but they also have to balance the time it takes to run security checks against the pressure to release software rapidly in a competitive market.
Good news: those two aims are not mutually exclusive. We’re going to show you how implementing DevSecOps will give you maximum security without compromising speed.
What is DevSecOps?
DevSecOps is an IT culture where the responsibility for delivering secure software is shared between the development and operations teams. The aim is to integrate security objectives throughout the software development lifecycle (SDLC), instead of leaving it to the end.
DevSecOps is based on the principle of DevOps (more on that shortly), which encourages collaboration between skilled people from different technical disciplines. However, DevSecOps uses processes and automated tools to bake security into rapid-release cycles.
How did DevSecOps come about?
A decade or so ago, major developers only released new software periodically. There was plenty of time for the code to undergo security testing. Nowadays, new features and code are continuously pushed into production.
This is why DevOps culture was born. It aligned development and operations practices, and this shared responsibility helped organizations to iterate faster. However, with code being produced and released so rapidly, security was not always able to keep up.
Plus, organizations typically carried out security checks only in the final stages of development. If a vulnerability was discovered at this stage, it was much more difficult to rework the code – so patching became the norm. A new approach was needed.
Enter DevSecOps.
DevSecOps is a natural continuation of DevOps, but it extends the philosophy of shared ownership by making security objectives part of the overall structure.
What are the benefits of DevSecOps?
Some companies are reluctant to implement DevSecOps, usually because they’re not quite sure what it means, and it’s a big change for employees. But the positive impact outweighs the challenges.
Tighter security
The more software your organization uses, the more cybersecurity risks you’ll encounter. For instance, if you’ve installed artificial intelligence customer service, you can’t risk a breach of sensitive data. DevSecOps helps you improve your overall security with continuous monitoring. It also reduces the number of serious vulnerabilities within the code.
Faster releases
Rather than hindering the speed of product releases, successful implementation of DevSecOps actually accelerates it. As well as using automation, the method reduces security bottlenecks – as you don’t have to wait for the development cycle to finish before carrying out security checks.
Lower costs
DevSecOps enables you to spot vulnerabilities at an early stage of the SDLC, which makes them far easier for engineers to fix. This means a significant reduction in cost, as there’s no time wasted on rewriting lines of code and creating software patches.
Better accountability
With diverse teams working together on security, developers feel a sense of ownership over the security of their applications, which improves accountability. Increased collaboration also helps teams come up with effective security strategies and designs.
Increased sales
If your product is fully secure, it’s much easier to sell. And your customers won’t have any cause to complain about glitches – you’ll soon see the positive feedback in your customer experience data. Automated configuration management means the production environment is always running the latest and most secure versions.
Compliance
By providing managers with a holistic overview of the development process, DevSecOps helps you to maintain compliance with industry-standard regulations such as state-level privacy legislation.
DevSecOps implementation
The steps involved in DevSecOps implementation may differ slightly depending on the size and complexity of your project, but these are the main stages you’ll go through.
Planning
Remember, the aim is to integrate security objectives early in development. It’s important to develop a concise plan with a focus on security and performance, acceptance test criteria, application interface and functionality, and threat-defense models.
Developing
The development team should evaluate existing security practices and suggest critical changes, while security teams must be willing to adapt their practices to the development workflow. This is especially crucial in remote product development.
Developers should also gather available resources for guidance, instigate reliable practices, and put a code review system in place for everyone to follow.
Building and testing
Automated build tools assist the DevSecOps implementation process by facilitating test-driven development, and using statistical code analysis to ensure the software design meets coding and security standards.
They also include a library of plugins, and can automatically detect vulnerable libraries and replace them with new ones. Meanwhile, automated testing should include front-end, back-end, API, database, and passive security testing.
Deploying
Provisioning and deployment are typically carried out with infrastructure-as-code (IaC) tools, which automate the process for consistency while speeding up software delivery. These tools increase efficiency and also help to reduce problems caused by human error.
Operating and monitoring
The operations team must carry out regular monitoring and upgrades, taking extra care to identify zero-day vulnerabilities (software flaws that are publicly disclosed but may be discovered by attackers before the necessary patches are released). The continuous security of DevSecOps helps to prevent such issues.
Scaling
Thanks to the cloud and virtualization solutions, there’s no need for organizations to maintain large data centers. They can just scale their IT infrastructure as required, or replace it in the event of a specific threat. This has particular relevance to business communications security.
Adapting
Don’t just implement DevSecOps and expect it to keep working forever. Like any business process, it needs continuous improvement to ensure it’s working as it should. This means evaluating practices and evolving to meet changing trends and maximize growth.
Challenges of DevSecOps
As mentioned, successful implementation of DevSecOps requires a change of mindset – which may be difficult for people used to doing things in a traditional way. Training is required to ensure everyone involved knows why you’re doing this and the benefits it will bring.
Although DevSecOps is all about collaboration, there may be friction at first between different teams with contrasting objectives. For example, developers are focused on speed of delivery and may see increased security as a barrier.
Ops engineers may automatically point to software misconfiguration or infrastructure problems as the cause of anomalies, whereas security teams will always suspect a potential breach. The aim is to get these teams to understand each other’s practices and viewpoints, and avoid working in silos.
Finally, another challenge of DevSecOps is getting the right people for the job. Despite the increase in cyberattacks, there is a shortage of skilled cybersecurity engineers. But they are much-needed: 78% of respondents to ISACA’s State of Cybersecurity 2020 report said the demand for individuals with technical cybersecurity skills was increasing.
Best practices for DevSecOps
The challenges discussed above can be mitigated by implementing best practices, which will help you to make DevSecOps a success.
Secure coding
You need to develop software with high resistance to vulnerabilities, which means secure coding is essential. It’s crucial that your developers have the right skills for this, and they may require extra training. It’s also helpful if developers establish and stick to coding standards, to help them write clean code.
Automation
Automation is a key part of DevSecOps as it enables security to keep up with development and release. A number of tools are available for cybersecurity automation, such as release management and CI/CD tools, and Static Application Security Testing (SAST) tools.
These tools have evolved to meet the needs of both developers and security teams and are typically packaged as an all-in-one solution. Be sure to choose tools that suit your organization and working practices.
“Shift-left” testing
This principle is at the heart of DevSecOps culture – it’s the practice of incorporating security at the beginning of the SDLC. As we’ve seen, testing early helps you identify potential issues sooner, making them easier and cheaper to fix. It works best when you break testing down into manageable chunks, such as production tests, and review test suites regularly to make sure they stay relevant.
The right people
DevSecOps means bringing together existing teams with diverse skill sets, rather than hiring new ones. Everyone should receive training on DevSecOps processes and methodologies – and that includes management! You’re going to need buy-in and collaboration at all levels to make it a success.
DevSecOps engineers must also have a strong understanding of risk assessment and threat-modeling techniques. Many teams implement a “security champion” within their development teams – this is someone with particular expertise and advanced training in application security.
Why is DevSecOps important for cybersecurity?
As more of us embrace digital technology, cybercrime increases. The number of data breaches in the US alone rose from 662 in 2010 to more than a thousand by 2020, with 155.8 million individuals affected by data exposures.
It makes sense to protect your organization’s security, and DevSecOps is a great way to do that. By finding vulnerabilities at an early stage, you can fix them swiftly and at a low cost (which also boosts both productivity and customer satisfaction).
So, whether you’re releasing a speech analytics tool (what is speech analytics?) or an automated phone dialer, you’ll be confident that the software is bug-free and won’t compromise your customers’ data.
Bio:
Jenna Bunnell – Senior Manager, Content Marketing, Dialpad
Jenna Bunnell is the Senior Manager for Content Marketing at Dialpad, an AI-incorporated cloud-hosted unified communications system and cloud PBX for small business that provides valuable call details for business owners and sales representatives. She is driven and passionate about communicating a brand’s design sensibility and visualizing how content can be presented in creative and comprehensive ways. Here is her LinkedIn.