Gone are the days when Application security was the responsibility of only the security team. I remember, that even a few years ago when I was part of a development team, our software would go through security assessment only a few days before the Go-Live. Now it scares me when I realize that we decided to take a huge risk by deferring security assessment to the fag end of the development phase.
The increase in security incidents in the recent years has had one fortunate outcome and that is the realization by managers about the criticality of application security. Enterprises have started to look deeper into the development process and have started to include security assessments more frequently at various intervals. However, one challenge that organizations face is to adapt the security control process to the changing landscape of application development. With DevOps being seen as the industry standard for efficient and fast software delivery, it is imperative that security be included in the model. Otherwise, the time taken to fix one critical security flaw found right before Go-Live may offset the entire savings made through adopting the best practices of DevOps.
DevSecOps takes DevOps to the next level by recognizing security as a critical component even during the development phase. The objective of DevSecOps is to build security and prevent flaws/violations from the beginning of the development. In the DevSecOps process an application security scanner tool is added to the DevOps pipeline so that a build would not pass unless the critical security flaws are fixed. Following this process has quite a few benefits as enlisted below.
- Developers are much more aware of the security requirements of the system. Such holistic view of the application makes them more proficient in coding
- Greatly reduces the time to fix the security flaws. The time to fix a flaw during development is much lesser than fixing one just before production
- Encourages collaboration with the security assessment team rather than seeing the team as a roadblock to software delivery
- Encourages rapid feedback staying true to the principles of agile delivery
- Automates the security assessment step, reducing manual intervention and the consequent things that can go wrong
Like in any change management process, implementing DevSecOps will be successful only if the team and the management buy in into the idea. The developers should be trained in security principles and secure code practices. Once trained, they need to be incentivized to follow secure coding practices throughout the coding process.
In short, DevSecOps provides a great opportunity to build security into the product without skyrocketing the cost of product development.