Sergey Nivens - Fotolia
DevOps has been a staple at Actifio Inc. since its founding in 2009.
But much like the evolution of DevOps has continued throughout the past eight years, so has the tech company's version of it. In fact, Actifio has moved into the next iteration: DevSecOps.
The company has shifted security testing to a much earlier stage in product development, said Actifio CSO John A. Meyers. It also increased automation and gave developers, solution architects and product managers access to testing tools, too. The result: DevSecOps has spread responsibility for security to roles beyond just security professionals.
"That really embodies this movement -- to get people who aren't traditionally in this security role excited about security and find potential security risks early in the cycle," Meyers said.
A growing number of organizations have implemented DevOps capabilities in recent years. The 2017 State of DevOps Report from Puppet and DevOps Research and Assessment states that 27% of respondents work on a DevOps team, up from 16% in 2014.
Now there's a movement to continue the evolution of DevOps -- the software engineering practice that has development and operations teams working together with the goal of building better products -- by incorporating security into the mix.
The goal now is to put security on equal footing with the development and operations pieces, enabling teams to not only deliver better products but to deliver better, more secure products -- and still develop them quickly.
"As we've automated more of the IT ops pieces, and removed the repetitive tasks and made them automated, and as we've moved to continuous integration, now there's a move to improve testing so organizations can vet code before its gets merged," explained Keith McCloskey, CTO of Blackstone Federal, a D.C.-based federal IT consulting firm focused on engineering, design, agile and cybersecurity.
McCloskey said one of the ultimate goals is to remove barriers and friction between teams in the organization, while also integrating security into existing IT practices.
"We want both dev and ops to work with security, and that's a good idea," McCloskey said. "If the concept of securing electronic assets is something that should be integrated into everything that IT does, then the expectation is that DevSecOps will lead to a more secure environment."
How that evolution of DevOps works in day-to-day business, however, can be complicated because organizations will have to think and work differently, according to DevSecOps experts.
"As with anything, the actual implementation will determine how effective it is," said Ajay K. Gupta, program chair of computer networks and cybersecurity at University of Maryland University College.
First, DevSecOps requires a shift in mindset.
Many organizations have pushed security to the end of the development process, testing code at the end of the build cycle as a final check. Executives who want to change that and move to DevSecOps instead must sell their teams on why integrating security is better.
"It's not something that happens organically; it requires people to buy into it," Meyers said.
Frank Catuccidirector of application security and DevSecOps, ImagineX Consulting
Organizations must also provide the right security tools, assign security personnel, arrange for the appropriate level of staff training and implement as much automation as possible if they want DevSecOps to take hold, said Frank Catucci, director of application security and DevSecOps at ImagineX Consulting, a business and technology consulting firm.
Be advised: A shift to DevSecOps won't be quick and easy.
"It's not plug-and-play. There are certainly some plug-ins and platforms available to help, but you're still going to need the expertise to leverage those and to make it an actual functioning process, to make the security process automated," Catucci said, adding that leaders should view this as an ongoing process that's never really complete.
Many organizations, however, don't put in the work required to successfully implement such new programs, McCloskey said. Instead, they simply bring in new tools and fail to get positive results because they "don't understand there are people and processes that have to be improved as well, so the tooling sits idly by," he said.
On the other hand, he said organizations successfully deploying DevSecOps see it as the next step in the evolution of DevOps. They're working to build a common lexicon among team members so things like testing results can be understood by both the developers and the operations people, and so that security professionals can better understand the technical components.
DevSecOps does not make security professionals obsolete or eliminate the need for security reviews at the end of the build process, experts said. But organizations must realize that the security professionals' work will change and shift to more high-value tasks.
"DevSecOps gives us higher-level automation and moves security folks up the chain," McCloskey explained.
Questions about speed, not quality
Although proponents generally agree that DevSecOps can increase security profiles, they aren't on the same page when it comes to security's impact on an organization's ability to use DevOps for speed and agility.
Some said the increased focus on security could increase the length of time it takes to deliver a product; others said shifting security to earlier in the process would generally have either a positive impact on speed or no affect at all.
"Tightening one bolt at the end [of the process] doesn't take that long. But when you're doing it throughout the process, it might take longer," Gupta said.
On the other hand, Catucci said he sees how DevSecOps could save time and money. Identifying security issues while products are in development may seem like it slows pieces of the process down. Instead, it actually shortens the overall time to release because there's less need for time-consuming, security-related backtracking or reworking at the end, he said.
Built-in security also allows organizations to more easily identify and fix vulnerabilities in the components they lift from a precompiled library, Catucci noted.
"The earlier you identify risks in the process, the more efficient it is," he said.
Meyers agreed, saying his company has found that to be the case as it embraced the DevSecOps principles.
"It has made a huge difference in our ability to deliver secure code," he said. "The number of issues found has dropped dramatically since we've put more effort into secure development. And, I think, in the end, it saves us time and money because I don't have to fix something that's already out the door."