Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Shifting to DevSecOps Is as Much About Culture as Technology and Methodology

This move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams. 

This move to container-based development and agile methodologies has been great for innovation and iteration, but it’s also brought a massive shift in the application landscape with real impact on security teams. 

In just the past year or two, DevOps has become much more mature. Today we need to understand risks and implement controls not just for 10 or 20 apps—it’s often hundreds if not thousands.  

And while there are many cloud-native companies built for this new world whose entire application ecosystems are born in the cloud, the majority of companies are at different stages. Some may still be doing much less frequent releases, whether that be annual, quarterly or monthly. Some are still trying to manage their transition from waterfall-style development to modern application development with agile practices. Older, larger companies in particular may have a wide-ranging mixture of legacy on-prem and new, cloud-based apps. 

The complexity can be daunting even for the largest security orgs. You’re not updating once a year, but potentially daily. Each individual app is going to have its own automated development pipeline, which is going to have its own builds, its own releases and multiple different agile teams. 

As more companies go through this cycle of shifting left, it’s only natural to see the business get ahead of security. And as everyone goes through this transition, we’re going to see more exposure as a result of that gap, with the business developing apps at a rate that the security organization is still trying to match. 

The further left an organization has shifted, the more rapid its development, the more adaptable the security team has to be—and the only way to get there is through a true DevSecOps model where security is an intrinsic part of development in a frictionless way. 

With DevSecOps, security orgs can meet the same standards that they’re accustomed to, while also meeting developers where they are, without completely halting the entire process to implement policy. The security team can continuously work in their own workflow and create policies that meet the business’ needs, and the DevOps team can move at the rapid speed of their business requirements. 

While it’s tempting to see this as just another “digital transformation,” it’s also not. Yes, there are new technologies digitizing traditional business processes and customer interactions. But beyond the technology itself, security teams must also change the way they work, adopting agile security practices that reflect the way modern dev teams operate. 

Advertisement. Scroll to continue reading.

And to change the way they work, they also have to change the way they think. Companies tend to overlook the cultural transformation that’s necessary. But without that cultural shift, it doesn’t really matter how agile development works or even what the digital transformation is. 

For security pros, that cultural transformation involves a lot of letting go. You’re not the big policy czar in the sky anymore. In this new world, you have to be able to infuse your understanding of risk and do it at the speed of the business: rapid development, shorter release cycles, staying in the thick of things through collaboration tools like Slack and Microsoft Teams. And that is a massive change in the way many security pros think about their jobs. 

The only way to solve the challenges presented by agile development is by making security a fundamental part of the entire process. It can’t be an afterthought. Otherwise it adds friction, and the dev team continues moving at business speed no matter what. The security team has to be able to adapt to that frictionless environment where tests are conducted as part of the builds and security choices and the decision to release are part of the process, not separate functions.

A true DevSecOps environment involves breaking down barriers and creating a cross functional team focused on one objective. The key is to understand that DevOps is now a way of life, while SecOps is our old way of living. Those personas have to merge into a true DevSecOps model that functions as one. 

What was previously more of a theory for most companies is real today. And the conversation about DevSecOps is just starting.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.