Developers are forced to trade off security for speed for accelerated product development. John Worrall, CEO, ZeroNorth details the cultural, educational, and tactical means for making speed and security work in tandem within the DevOps practice. Gain actionable insights on building a more secure software development life cycle (SDLC) and a unified DevSecOps practice.
The emphasis placed on the speed and agility of the software development life cycle (SDLC) continues to grow, and for good reason. The pace of application development and delivery is accelerating significantly, with 55%Opens a new window of companies deploying new software at least once a week. While expedited development is providing benefits across several areas, one area that is often overlooked is the security of the applications that are being developed faster than ever before.
With such a focus on speed of delivery, developers are forced to trade off security for speed. In immature DevOpsOpens a new window practices, just 14%Opens a new window place concern on security. That number only goes to 35%Opens a new window in mature DevOpsOpens a new window practices. Companies are challenged to harmonize between these seemingly opposing priorities: delivering software with speed, and delivering software that is secure. This should not be an “either, or†decision. Asking and answering the right questions can begin to help clarify how speed and security can work together across the SDLCOpens a new window .
Learn More: 4 Tips to Ensure Your Office 365 Environment is ProtectedOpens a new window
As organizations have recognized fast and high-quality development is needed to remain competitive, they’ve asked, how do we prioritize speed and agility across the SDLC? For most, the answer was to adopt a DevOpsOpens a new window process to create agility and drive a competitive edge by deploying applications at a quicker rate. That DevOps model as a whole is then responsible for delivering applications with speed and agility. The same mindset needs to be used for securityOpens a new window now. Asking questions like, how do we make security a priority? And, who should own security in the SDLC?
A GitlLab studyOpens a new window found that 69% of developers believe it is their responsibility to manage application security. But, unfortunately, it isn’t that simple. Ownership doesn’t magically equate to execution. Gitlab also found that 49% of organizations struggle to get developers to make remediation of vulnerabilities a priority, which makes sense because the same study showed almost 44% of developers don’t believe they are judged on their security vulnerabilities, so why make it a priority?
Additionally, ownership does not mean competency. The Gitlab Opens a new window study found 68% of security professionals Opens a new window feel that less than half of developers can actually spot security vulnerabilities to begin with. So, declaring it a certain team’s responsibility to take care of application security still does not mean they have the expertise to do so.
Learn More: Embracing Open Standards: We Must Be More Like Cyber Attackers to Beat ThemOpens a new window
Ensuring competency and high-quality security results is a process that must involve training, tools, support, and data, all wrapped into the SDLC to create a DevSecOps practice. Key steps to create DevSecOps at an organization include:
- Culture: The organization needs to stop seeing security as an obstacle and instead see security as an integral part of the application itself.
- Tools: Developers don’t have the time or resources to be devoted specifically to security. It has to fit in with the goal of speed, remember? So, the right scanning tools have to be implemented to help facilitate this. This includes SAST, SCA and other tools to provide feedback on vulnerabilitiesOpens a new window as code is written and deployed, and DAST scanning tools for finding vulnerabilities in code in production. Plus, orchestration! Making sure the right tools are picked, used, and managed across the entire process at the right time.
- Education: Developers don’t need to be security experts, but they do need the skills to write secure code from the start and help make security better understood.
- Responsibility: Developers should be measured not just on speed and quality, but on security as well. Implementing securityOpens a new window KPIs for the entire company and metrics for developers within a DevSecOps program can make sure everyone is doing their part and making security the priority it needs to be.
Learn More: How Endpoint Security Can Help Enterprises Tackle IT StrainOpens a new window
So, can security and speed co-exist effectively? Yes. But it can’t be done overnight and it can’t be solved by assigning security as a priority alone. The right orchestration and teamwork must come into play across the SDLC, with the right resources and training, and cultural acceptance of security as part of the business. Security in DevOpsOpens a new window is a process that needs to be embedded across the entire SDLC to create a healthy DevSecOps practice that enables accelerated development, high quality and robust security in all of the applications that an organization produces.
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!