July 12, 2019 - 941 views|
With DevSecOps, security vulnerabilities are addressed much earlier in the DevOps cycle, ensuring secure applications are built from the ground-up.
In another two years, the “digital underbelly,” or cybercrime, will near $6 trillion in damages. This is not collateral damage; it’s $6 trillion worth of opportunities lost to subpar application security. These damages extend beyond the financial realm into customer trust – depleting the currency that digital goes by. A security lapse could even sound the death knell for some companies.
This situation is due to a skewed focus on application development that sidelines security. Even when Agile methodologies such as DevOps contribute to a more rigorous application development process, security often remains firmly in the purview of the traditional waterfall approach.
Moreover, security is often entrusted to enterprise IT teams that treat it as an infrastructural component rather than an application design element. Rudimentary measures such as firewalls that guard the borders are deemed sufficient. This approach fails when applications are hosted in environments that extend beyond enterprise IT, such as the cloud, containers or serverless computing platforms. In fact, if security is not on the agenda, the first hurrah around successfully applying DevOps in digital could well be the last.
DevSecOps: Fine-tuning DevOps for Digital
As organizations modernize their approach to application development, security cannot remain as an afterthought. Applications modeled on a digital architecture, technology and design put traditional security assurance practices on notice. The answer is DevSecOps, which takes a proactive stance by embedding security into the DevOps cycle and encoding security into the application, thus rendering it difficult to penetrate.
With DevSecOps, teams address vulnerabilities much earlier, rather than firefighting them a later stage. It turns security into a key business requirement, ensuring secure applications are built from the ground-up, the first time.
For example, in the continuous deployment world, developers automate the creation and deployment of multiple environments, and if DevSecOps is not implemented, security vulnerabilities may go unnoticed for extended periods of time, delaying time to market later on. Because DevSecOps integrates security in every software iteration, every time software is released to a production environment, the organization can evaluate the security vulnerabilities in the early lifecycle and address it.
Pivoting to DevSecOps
To put the cogwheels in motion, enterprises need to view security as inherently crucial to success. This requires a significant shift within teams, in terms of their agenda, modus operandi and culture. Here are some ways more mature DevOps teams can pivot to DevSecOps:
While it’s possible to build DevSecOps capabilities from the ground-up, a faster approach is to leverage open source platforms that orchestrate security expertise, processes and tools for speed-to-market advantage. We’ve implemented a vulnerability scan solution for a large cruise channel by integrating OWASP Zed Attack Proxy, one of the most popular free security tools, with the company’s enterprise DevOps. This addressed a critical challenge of isolated and incomplete security testing that resulted in vulnerabilities being uncovered in production, leading to reduced time to production and early vulnerability detection.
The Last Word
In the end, organizations must understand and appreciate the bargain they strike with customers – convenience and curated experience in return for use of their data. But they need to uphold their end of the bargain by ensuring customer data is protected against malicious attacks that exploit security loopholes.
Any security attack is damaging to both the enterprise and its customers, and the reparations often fail to mitigate the loss. Damages such as $6 trillion don’t even begin to make a mark. In the end, the old adage holds – better safe than sorry – especially when there are ways to ensure that safety.