By Mike Kail, Cybric
DevOps is not a new concept, but the calls for such a cultural shift and approach to application development have grown louder. Particularly in the security industry, experts now recognize the need to shift toward an approach where automation and orchestration are at the foundation of the development and deployment processes. This new approach is called DevSecOps.
IBM and the Ponemon Institute found the average total cost of a data breach increased 23 percent in 2015 to $3.79 million. Despite these record cost figures in the aftermath of breaches, most vendors and offerings in the security world have yet to leverage the best aspects of DevOps in their tools. Somehow the most necessary fundamental shift in how we approach security in 2016 has fallen on deaf ears at the companies whose jobs are to protect our data.
As defined by Wikipedia, DevOps (a clipped compound of "development" and "operations") is a culture, movement or practice that emphasizes the collaboration and communication of both software developers and other IT professionals while automating the process of software delivery and infrastructure changes. It aims to establish a culture and environment where building, testing and releasing software can happen rapidly, automatically and more reliably.
The DevSecOps movement builds on the idea that everyone is responsible for security and inherently accepts that retrofitting current solutions is no longer sufficient as hackers have changed the rules and also enjoy the advantage of being on the offensive.
This DevSecOps movement is due to a massive shift toward the cloud and the rise of both virtualization and containerization. The combination of new technologies with a cultural shift toward embracing these advances will eventually make DevSecOps the common thread in every security approach in the near future.
Automation is a key component of the movement; attempts to keep up with security manually no longer work. Every advance in technology and products opens up more possibilities for hackers to exploit.
How DevSecOps Improves Security
There are many reasons to shift to a DevSecOps approach but the most obvious is to slow the efforts of hackers. In daily security battles hackers have three key advantages:
- They take a continuous approach in their efforts
- They only have to get in once
- They can be as aggressive as they wish in their attacks
All of these realities require fighting fire with fire; acting exactly like a hacker is the best way to stop their onslaught.
To start adopting a DevSecOps approach means implementing automated sources to scan source code and all libraries up and down the stack in your organization, not just using point solutions. It also means integrating security tools into a common platform via APIs. Everyone in the organization should be empowered to recognize that security is part of their responsibility.
From a macro level, adopting a DevSecOps approach flips security from a defensive to an offensive posture that is both automated and constant -- mimicking the tactics of hackers.
Hackers have long enjoyed the advantages of speed, automation, aggression and relentlessness. Adopting these characteristics in organizational security is the only way to combat their attacks. DevSecOps as a movement will take time and begins with communication to the entire organization; everyone is responsible for security.
By Mike Kail, chief innovation officer and co-founder, Cybric.