How to Make DevSecOps an Automated Reality

DevSecOps

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Prashanth Nanjundappa of Progress examines how DevSecOps can help security teams step on the gas, and speed toward an automated reality.

SR Premium ContentDevSecOps is a major highway of development in the technology world with its speedy delivery and reduction in security risks. DevSecOps can accelerate the pace of digital transformation and gives the ever-evolving world of technology endless possibilities.

Under increasing pressure for IT teams to take software products from concept to delivery in record time frames, development teams have two choices in this new age of digital agility. Do they want security and regulatory requirements to hinder their efficiency? Or will they leverage security and compliance in their DevOps methodologies to better position themselves against competitors and make their products all the more exceptional?

DevSecOps as a Collaboration

DevSecOps is meant to increase collaboration between development, security, and operations that benefits the entire organization to help identify risks early in the product development lifecycle when implemented properly. This programming aims to automate the integration of security into every phase of the software development lifecycle. According to a research paper from Progress that surveyed 606 experts from 11 countries around the world, the top business factor driving the adoption of DevSecOps is a focus on business agility via fast and frequent delivery of application capabilities (59 percent). In addition, the top technology factor driving adoption was to better manage cybersecurity threats and issues (57 percent). This proves that over half of the experts interviewed are identifying the need for this wide adoption of DevSecOps. So what benefits are they reaping?

DevSecOps, if implemented in its true spirit, improves the speed of delivery and reduces risk in production, which can accelerate the digital transformation journey. DevSecOps practices play a large role in reducing critical costs and development time by automatically addressing and minimizing the need to repeat a process or address security issues in production. It’s a no-brainer that security and compliance can speed up production time to market and assist in development by using some key practices tech teams can implement to overcome technical skills gaps. Thus, another huge benefit is this also translates to the wider result of scaling automation across teams and environments.

Further enterprise benefits of implementing DevSecOps include creating trust and reducing risk with cost-effective, quick software delivery, and enhanced proactive security. DevSecOps reduces costs and saves time as it naturally cuts out the need to repeat a process to address security issues. Conversely, organizations experience slowdowns and the re-works without the tools of a DevSecOps safety net.

Something for Everyone

Enabling DevSecOps collaboration helps to unify teams throughout the journey of what could easily be a tedious group project, starting at ground zero. If organizations do not adopt DevSecOps methodologies, the development journey will be frustrating and time consuming due to the reasons previously outlined. Moving from a siloed or departmental view and allowing collaboration between teams through a common set of tools and process gets the finished, compliant product to market sooner and makes the process easier for all involved.

According to Progress’ research, 76 percent of respondents recognized they could be more strategic in how they manage DevSecOps. Breaking down the silos, taking the key learnings from DevOps and DevSecOps, and starting the conversion about compliance and security needs in parallel (and in a single pipeline) is exponentially more helpful to begin at the beginning of the journey to release a new product. Cutting out the cycles of uncertainty, if the project is ready to deploy or not, saves resources and causes fewer challenges for employees and teams across the board.

What is Policy as Code?

Policy as Code brings configuration management, compliance, and security into one collaborative step, eliminating the separation between the security components and moving everyone on the team into a shared framework and communicative channel. This, we believe, is one of the foundational aspects of DevSecOps. When Policy as Code becomes an automated reality, it brings together all the critical steps, inescapably, and gives all involved the ability to overcome technical skills gaps. It also ensures that your teams and environments are in sync and cardinally moving development projects along in accordance with compliance.

Policy as Code extends Infrastructure as Code by enabling four essential actions:

  1. Collaboration: Code is a common language for developers, operations, and security teams
  2. Scalability: Code scales across complexity sprawl
  3. Shift Left: Test throughout the delivery process, bringing security and compliance in as early as possible, and allowing developers to test policies directly on their workstations
  4. Continuous Visibility: The ability to monitor the steps to reduce or eliminate risk and fire drills

How Policy as Code Can Make Work Easier

In the study outlined, 86 percent of respondents identified that they experience challenges with their current approaches to security. With DevSecOps, turning concepts into reality is easier by introducing security at its earliest available opportunity in the development process. Each industry and organization will have different policies that define security standards, regulatory requirements, and other organizational mandates. These policies are often defined in long-form PDF documents, Word, Excel, and wikis which require domain expertise to understand and can’t be directly acted upon.

By using digital tools, those policies can be defined and codified as unambiguous, human-readable code. This also can be a tedious process if you don’t have a good starting point for codification. Fortunately, Chef customers have access to a library of premium content that’s CIS or DISA STIG certified to get started. These pre-made hardening profiles enable businesses to deploy configurations and applications aligned with requirements from the very beginning. Another benefit of defining policy as code is that teams can perform tests early and often to prove whether the code is working or needs to be tweaked. This development approach checks infrastructure and applications are policy-compliance early on before you enter production stages to avoid the need to start over.

Policy-Based DevSecOps Automation Architecture

Building security and compliance early in the process is a key responsibility for developers’ operations teams. By changing the way they approach end-to-end deployments to create and test code based on the organization’s rules and policies at the start of the process, they stand to reap the rewards in terms of time, security and time to market.

Approximately 71 percent of survey respondents agreed that culture is the biggest barrier to DevSecOps progress. This may mean rethinking the approach your organization takes to security considerations and prioritizing addressing them early on. Before deployment and at the end of a project, it’s harder for security teams to intervene and it costs significantly more in time-consuming reworks. Plus, as these are human beings, no one wants to be told to start over. Making it a collaborative process from the get-go, and encouraging open lines of communication can benefit all the capable hands on deck.

So, what do you look for when you are seeking out DevSecOps adoption? Look for a tool that has fully integrated infrastructure and compliance policies, that streamline the workflow for operators and ensure the alignment beginning at the development phase. Codified, documented policies will help your organization better document its policies in an unambiguous, shareable, and actionable way. Also, in taking advantage of community-built content, organizations tend to achieve faster time-to-value. From a security standpoint, test-driven development means faster, more secure delivery. Everyone can win!

Overcoming the Technical Skills Gaps and Scaling Automation

When organizations do not enable the fastest workflow, the consequences include project slowdowns, time-consuming re-works and the lowering of team morale, which leads to more mistakes being made. Those that already are taking advantage of the groundbreaking software understand the clear, efficient business case for making DevSecOps an automated reality. Over time, security and development operations will inevitably converge. Currently, however, only 30 percent of survey respondents felt confident in the level of collaboration between security and development. When DevSecOps becomes an automated reality, organizations will universally overcome technical skills gaps and scale automation across their teams and environments.

Prashanth Nanjundappa
Follow Him
Latest posts by Prashanth Nanjundappa (see all)