Now that you are in the cloud, how can you get DevSecOps right?
January 12, 2021 / Unisys Corporation
Short on time? Explore the key takeaways:
- Cloud technology and DevSecOps have improved innovation and speed for businesses.
- DevSecOps combines development, security and operations into a single department.
- Embracing DevSecOps requires rethinking processes, using automation tools and having a well-trained team.
- DevSecOps success is increased with persuasive leaders, trained employees and an automation specialist.
Cloud technology has changed everything — and that’s good news for businesses and customers. The cloud provides greater agility and innovation speed compared to on-premises solutions.
The Agile Manifesto, a document outlining agreed-upon values and principles for agile software development, promotes the effective management of software flow, reducing workload and enhancing focus. Its methodology enables businesses to quickly release software-based solutions on the cloud, responding to customer feedback. This lean approach promotes innovation speed, minimizes waste and motivates teams to deliver faster results.
The cloud brings a higher velocity of data, featuring greater volume and variety of computing and services. These three trends are the market drivers for DevSecOps adoption.
According to Gartner (Via TechTarget), 90% of software development projects will claim to follow DevSecOps practices by 2022. Moreover, 25% of projects will follow a DevOps methodology from conception to production by that same year. The implementation of DevSecOps provides companies with numerous benefits, such as improved velocity, safety and ease of software operation. It also effectively reduces code defects and lowers costs.
Traditionally, organizations had separate development engineering, quality assurance (QA), security and cloud operations teams. The development team would pass work to the QA and security teams, who would then hand it off to the cloud operations team. The deployment job would have to return to the development team if there were any issues.
Now, the boundaries between development, security and operations are disappearing. Organizations are merging them into a single department called DevSecOps. Within a year of Amazon’s adoption of DevSecOps, its engineers deployed code every 11.7 seconds on average. Netflix uses DevSecOps to deploy code thousands of times per day.
Embracing DevSecOps requires reorganizing teams and processes for continuous integration and delivery. Here are three tips to get the most value from the cloud and DevSecOps.
1.Shift to the left
It’s essential to solve security problems as soon as possible in the DevSecOps cycle. Before deploying software in the cloud, the software should go through multiple validation stages: development, test, pre-production, staging and production. The software should perform a security and deployment readiness gate check at every stage. If it fails any test, it must return to the beginning. This can cost valuable time.
To minimize rework and delays, shift problem-solving to the left (or beginning) of the DevSecOps continuum. Solving as many problems as possible in the development stage is essential. This prevents costing extra time later in the process to find and fix issues.
You can use tooling and automation to facilitate this. For example, consider using a source code security analysis tool that does source code scanning for security issues during deployment. Tooling and automation can help identify security problems so that you can immediately modify your software to address vulnerabilities.
2. Embrace immutable infrastructure
Embracing immutable infrastructure, or using containers, serverless functions and microservices, is another DevSecOps best practice. These technologies are inflexible because they should not be changed or patched arbitrarily.
If any new issues arise and changes must be made, the DevSecOps process must be restarted. This change in automation and the DevSecOps process presents a significant paradigm shift.
This may seem counterintuitive because containers, microservices and serverless technology are about flexibility and scalability. However, immutability means you can’t patch a container, for example. If there is a problem with a container in production, you must return to the source code level, build a new container and then deploy it.
Avoid patching or fixing containers spontaneously. Bypassing the needed DevSecOps-related checks and gates can cause issues. Returning to the first stage ensures your software is secure and works as required.
3. Focus on people
People are the most crucial component of DevSecOps. They can resolve issues with minimized processes. To ensure success, the team should be well-trained in all aspects of DevSecOps and capable of performing multiple roles in development, security and operations.
Gartner recommends that all developers be trained in the basics of secure coding, though they don’t need to be security experts. Ensuring everyone understands end-to-end DevSecOps processes, including code and application development, cloud deployment, debugging services and security, is essential.
In the past, developers, operations and security personnel were separate entities, but they are now integrated. Influential DevSecOps leaders can help explain the business benefits of the process, while automation specialists are critical for automated systems.
DevSecOps is now essential and will continue to be critical in the future, particularly in cloud-driven innovation. Businesses that don’t move to the cloud risk losing innovation, agility and cost savings. Companies can leverage the cloud to enhance business efficiency and customer satisfaction by following best practices.