While the benefits of the DevOps methodology are well understood, as an industry we haven’t done enough to add security earlier in the application development process. In the first of a two-part blog series, we take a look at why this challenge exists, the risks it presents, and its overall business impact. Stay tuned for the second article, when we show ways companies can capitalize on “SecDevOps.”
The first use of a factory was when Ford cranked one up to efficiently roll Model T cars into the market. It became the model of modern industry. Now the same type of mindset is taking hold in application development. The first step was the adoption of the DevOps methodology that established an application development approach to create custom applications in a fast-paced, iterative environment and delivered sizable improvements in overall speed and agility.
Effective use of DevOps also enables a company to focus its energies on devising new and creative ways to satisfy customers’ wants, providing a competitive advantage, and supporting important corporate initiatives. You could say that companies, through DevOps, are becoming “software factories.”
Companies that remain stagnant or can’t adapt to changes in business models tend not to survive, and the same is true with DevOps. As good as DevOps is, it’s not perfect, especially where data security is concerned. Therefore, a revolution is going on, led by the need to evolve DevOps, to move security earlier in the application development process.
As we have recently discussed, security has not yet been an organic consideration in software development, yet the rise of data breaches, many of which have been devastating, the fact that cyber-criminals are becoming more sophisticated, and the complexities of data privacy compliance regulations (like GDPR or AB375) require new ways of thinking about security. Without effective application security, companies face the very real risk that high-value PII/PHI data could be stolen, and could result in compliance fines and lost business. With so much to lose, companies can’t continue to tack security on to the end of existing application development processes anymore.
Moving security earlier in the process is painful; if it wasn’t, it already would have been done. But the scenario really is evolve or die, and for many companies, the benefits of SecDevOps may not be intuitive. So let’s step through a few.
Let your applications developers do what they do best
A great application developer is like gold—they are a whiz in coding and thrive upon making the best products possible. Yet, it is important to note that most application developers are not security experts. Building in security features adds complexity and requires additional knowledge and coding skills that most developers do not have. To ask them to learn how to add advanced security features in their applications is not realistic and could minimize their strengths as developers.
Some in the industry think that the idea of “shifting left”—adding security into their current application development process—is challenging at best. It could also have a negative impact on execution speed and production cycles.
Avoid compliance fines
Compliance issues can be costly. For example, the General Data Protection Regulation (GDPR) carries penalties of up to four percent of an organization’s worldwide revenue or $20 million euros, whichever is greater, for violations of its data privacy and usage requirements.
In other cases, regulated industries must follow additional laws such as HIPPA for healthcare or 23 NYCRR 500 for financial services in New York. Companies may face other potential damages, too, including additional penalties, lawsuits, and the loss of customer trust and loyalty. The application may have to be taken out of production, which has a negative impact on various business practices.
Faster deployment and easier lifecycle management
The reality is that by not incorporating security into the application development process, the time-to-production deployment time will be lengthened and could risk the ability to deliver proper functionality. Additionally, when security comes as an afterthought or in the final QA stages of an application, security teams are forced to play catch-up and sift through unfamiliar code to uncover potential vulnerabilities and understand how the use, transmission, or storage of data may put the enterprise at risk. The catch-up time, which is often considerable, could be avoided if security is integrated with the DevOps application development process from the beginning.
At the end of the day, it is the operations team, in most cases IT, that will need to manage the application once it is deployed. If the app has gone through little to no testing, and security considerations weren’t taken into account upfront, it can cause real problems. For example, if a vulnerability is discovered, the development team must be pulled back into the process to review and create a patch. Then the patch needs to go through QA before it is finally implemented. That can take weeks, if not months.
With all of this working against developers and security teams, a better—and increasingly essential—way for DevOps to remain relevant is to fully incorporate security into the entire process with application development tools. Rather than be the “department of no” or the anti-DevOps force, security professionals can participate in the process from the very beginning to fluidly shape the design and deployment stages to meet security and regulatory requirements.
How can companies truly achieve this concept of “SecDevOps?” Stay tuned for our next article where we highlight best practices for adding security earlier into app development processes and improving overall security results.