The Future of Security is DevSecOps
Image painted in seconds by AI.
Try AI stories for employer branding
Image painted in seconds by AI.
Try AI stories for employer branding
Cybersecurity is a more important field than ever before in a hyper-connected world and DevSecOps is here to tackle it head on. Cyber-attacks are the 6th most potentially devastating world event (behind items like weapons of mass destruction and extreme weather events) and the 5th most-likely-to-happen event (behind data fraud/theft and failure of climate change mitigation) according to the World Economic Forum’s Global Risks Report 2019.
This isn’t just scaremongering. This is a real threat, on a global level.
And on a local level? Well, according to PwC’s 2018 report, The Global State of Information Security: The Australian Story, only 36% of Australian businesses have an overall information security strategy, lagging behind the worldwide average of 56%. The report also uncovers that 74% of clients are prepared to switch vendors in the event of a data breach.
Here we have a potentially toxic combination for software product vendors and development houses: businesses that are perhaps unprepared (or at least underprepared) for cyberattacks, and clients that might just take their business elsewhere in the event of a breach.
This means that software development houses need to take inbuilt security very seriously. If clients aren’t willing to fortify their own systems to ideal standards, then you better make absolutely certain that software is built as secure as possible – or you’ll lose business.
How do we do this?
We talked to some of Australia’s foremost DevSecOps professionals in business to hear their thoughts about the future of this practice: Hannah McKelvie, DevOps & Code Security Manager at Telstra, Adrian Ludwig, CISO at Atlassian, Yuri Melo, Director of the Advanced Security Centre at EY, Jason Ellul, Director of Technology, APAC at Contino, and Bill Hamawi, DevOps Manager at Plutora.
Just 10 years ago, a buzz was building. DevOps, the intersection of software development, automated testing and building, and rapid delivery was garnering worldwide interest. It was an exciting time to be talking software development – at least if you were in the managerial space.
Developers themselves were more cautious about this new development and delivery automation pipeline. Would it really work? Was this just another case of managers barking out the latest “it” word, in an attempt to try and hurry up the process?
As it turns out, DevOps is now getting to be a more mature field and can work magic for the software development and delivery pipeline – if implemented correctly, with a strong internal culture and practices built to facilitate the process.
It’s this implementation that can be done poorly – and that can make both developers and managers alike still wary of DevOps from an overarching perspective, although they still may swear by tools and workflows that are inherently DevOps.
For those with a more mature DevOps workflow, it’s time to look at injecting security into the system – with automated processes for ensured compliance.
“DevSecOps is a branch off DevOps with security principles at its core function and purpose.” – Hamawi.
Melus suggests that “a solid understanding of common security issues can be obtained easily by proactive developers and standard security development patterns can be easily deployed.”
That proactive word is tricky, though. Melus makes a good point by saying, “Security vulnerabilities can be introduced easily by developers who are not aware of cybersecurity issues.” This is even true in the case of a highly trained DevOps engineer.
The role of the developer in cybersecurity isn’t always clear unless it’s outlined specifically with an onus from above, so codifying security into developer practices and workflows is important if security itself is important. In short, a developer must know exactly what to do to code securely, or they won’t.
If we do this, the developer may be bound to building secure by design, following various coding security best practices, such as using a verified version of an external library, thorough testing (e.g. through code quality tests), etc.
At Atlassian, they’re making it easier for developers to spot security flaws, through implementing DevSecOps tools. Says Ludwig, “We’re doing a lot of work to make sure our security tools are integrated directly into the developer workflow — so that a developer can find out about a potential security issue at the moment they write the code, rather than waiting until after the code goes into production and security testing is completed.”
“We’ve had to build a process that provides a lot more, smaller security checks. This is done with a combination of tooling, automation, and continuous monitoring to help our engineers ship more secure code.”
“For example, we’ll scan source code directly within the developer workflow and notify the developer when they go to check-in code.”
This automates security within developers’ workflows, so they don’t have to remember to do manual security checks.
Melo outlines why there is a critical need to inject security into the DevOps process: “As DevOps procedures make the deployment of applications faster, waiting until the end of a development sprint can be too late to address security vulnerabilities.”
While traditionally, security checks were done at the end of software iteration, we need it baked in, like how continuous testing and deployment is now baked in (with DevOps).
He goes on to say that by doing this, “DevOps procedures with security considerations brings security awareness to the developer teams, builds a security conscious culture and strategically improves end-to-end security coverage.”
Or, as Ellul puts it, “DevSecOps builds on the idea that cross-functional teams must work together and builds on the mindset that “everyone is responsible for security” with the goal of distributing security decisions at speed and scale in a safe and controlled manner.”
DevOps without inbuilt security is bound to either cause delays in the Continuous Integration / Continuous Deployment/Delivery pipeline or cause insecure code to be shipped. And that is why that ‘Sec’ is so important for DevOps.
With more and more businesses switching over to DevOps practices, this now “requires close collaboration between Security and DevOps teams, looking at shared accountability as a strategy for meeting the goal of Security at Speed,” as McKelvie says.
On a basic level, Hamawi notes the necessary steps for introducing DevSecOps to the workplace:
Ellul further elaborates how to start the process:
McKelvie explains how they began the shift to DevSecOps at Telstra: “Initially, we incubated our Security SMEs into the DevOps teams and had people co-located to provide real-time security advice, governance, and skills uplift.” Following this initial stage, skills are strengthened by “working with all our DevOps teams to find people who are passionate about improving the quality of their solutions, specifically with respect to security,” enrolling these key staff into their inhouse Security Champion Program.
Melo also notes existing processes that can be implemented now and that will become more prevalent among businesses in the future: “The use of automated solutions such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) will increase to provide developers with a faster feedback loop to close security vulnerabilities early.”
“In order to compete in the digital economy, organisations are increasingly competing on time-to-market and with the growth in Agile environments, organisations need to facilitate high-speed solution delivery.” – Melo
Simply put, DevSecOps makes business more efficient and thus more competitive.
Ellul outlines the follow key outcomes that have a “direct business value and can help drive increased Return on Investment”:
While the essential software developer skills in 2019 include experience in Agile development, Agile will certainly see more security focus in the future, as a natural evolution towards DevSecOps as standard for software development.
For those looking to break into the industry, learning a top programming language will still be highly relevant, but it will need to be put into practice within a security-focused development and deployment environment. Cybersecurity jobs with a focus on infrastructure-as-code from an enterprise-wide perspective will be critical for successful business operations.
It’s going to be a brave new world in the software development space. Be prepared for an exciting future and get involved with the DevSecOps movement.
Dive down the rabbit hole:
72 AI-powered languages
Trusted by the world’s top brands
Dedicated Customer Success
What is Employer Branding?
Employer Branding is essential for any company looking to recruit or retain talent. Your employees now have the same expectation as customers - in other words they want to know 'why' they should work for you, not just 'what' they are doing.
What is your company story and what do you stand for as an employer? Employer Branding content builds trust with your employees, increases your marketplace reputation and turns you into an employer of choice.
In today's environment employers need to work hard to stay relevant and create environments where employees are engaged and motivated. A strong Employer Branding strategy -projecting a positive brand identity - can help attact and retain the right people.
Especially in times of recession it is important for companies to set themselves apart from the competition and create strong bonds with their existing and future employees.
The Martec's AI-powered Employer Branding content tool is the most powerful platform on the planet for Employer Branding strategy, content creation, distribution and reporting. Used by many of the worlds' top Employer Brands for scale, impact and precision.
And 100+ other world class employer brands across 30 countries