There is understandably a lot of focus these days on the best DevSecOps practices in the wake of a rash of high-profile cyberattacks against software supply chains. However, as well-intentioned as those efforts may be, they often don’t take into account just how big a challenge adopting best DevSecOps practices really is for most organizations.
DevSecOps is an extension of a DevOps approach to building and deploying applications faster by giving developers more programmatic control of IT infrastructure within the context of a workflow based on a continuous integration/continuous delivery (CI/CD) platform. DevSecOps calls on organizations to advance application security by shifting more responsibility for it on to the shoulders of developers. The goal is to reduce the number of vulnerabilities in a production environment by holding developers more accountable for discovering and remediating them during the application development process.
As a concept, DevOps has been around for well over a decade. However, a recent survey of 600 IT professionals conducted by mabl, a provider of a test automation platform, finds only 11% of respondents said their organization has fully implemented DevOps practices, while another 24% said they were most of the way toward achieving that goal.
It’s difficult to see how organizations might be embracing DevSecOps when they have yet to master the fundamentals of DevOps. Nevertheless, a survey of 250 US and UK large enterprises with more $1 billion in revenue conducted by Security Compass, a provider of a platform for automating security tasks as application are developed, suggest large enterprises at least are making strides toward embracing best DevSecOps practices. The survey finds three-quarters (75%) of respondents work for organizations that have implemented DevSecOps processes on current application development projects.
Nearly three-quarters of respondents (73%) said their organizations follow a “by design” approach that enables them to proactively address cybersecurity and regulatory compliance. The primary reasons respondents cited for embracing DevSecOps best practices were to improve security, quality, and/or resilience (54%), followed by the ability to bring applications to market faster (30%).
Almost three-quarters of respondents (73%) also noted that manual security and compliance processes slow down code releases. A full 96% said their organization would benefit from the automation of security and compliance processes. Therein, of course, lies the rub with DevSecOps. Most of the security tools organizations employ today are designed for security professionals rather than developers. A developer requires security tools that expose command-line interfaces (CLIs) and application programming interfaces (APIs) that make it possible to incorporate them within a DevOps workflow. In the absence of such tools, all the developer ever really sees is a list of issues compiled by a security team that lacks any context. Most developers have no idea how critical any vulnerability on that list is or to what extent a library on that list might have been included in their applications.
In addition, developers are now required to better ensure application secrets or protected while simultaneously embedding identity access controls within their applications as part of an organization’s effort to implement a zero-trust IT initiative. As a result, it’s clear a simpler approach to identify access management (IAM) is required, says Brian Pontarelli, CEO of FusionAuth, a provider of a platform that enables developers to implement multi-factor authentication via API calls made to its platform. “All they need to do is access a login page,” said Pontarelli.
In a similar vein, providers of CI/CD platforms such as GitLab are also increasingly automating DevSecOps processes as part of an effort to reduce the need to depend on every developer to be a cybersecurity expert. The most recent release of the GitLab platform adds integrations with open source Semgrep and Trivia vulnerability scanning tools as part of an effort to enable organizations to embrace DevSecOps best practices within workflows. GitLab has also along with making available additional dashboards to track security metrics and incorporated fuzz testing tools it gained via the acquisitions of Fuzzit and Peach Tech to enable DevOps teams to embed application security tests more deeply within their workflows.
The overall goal is to foster more collaboration between developers and cybersecurity teams, notes Jonathan Hunt, vice president of security for GitLab. “It’s becoming a reality,” he says.
DevSecOps is, of course, a long journey that takes time to complete. As such, it’s not likely to have a major impact on securing software supply chains. However, the more security testing tools become just another gate within an automated DevSecOps workflow, the more steadily (over time) application security will improve.