The security challenge in DevOps

While Agile development approaches help organisations respond rapidly to new business opportunities, they pose significant security challenges.
Rennie Naidoo
By Rennie Naidoo, Professor in Information Systems (IS) at the Wits School of Business Sciences.
Johannesburg, 29 Apr 2022

Agile development practices enable organisations to deliver software products and services continuously. Since Agile development teams commit many small and frequent deployments to production, failure to involve the operations team earlier in the software lifecycle tends to become a source of constraint in the software delivery process.

DevOps seeks to promote cross-functional collaboration between the development and operations teams. The semi-automation and full automation of build, deployment and testing tasks are also critical in improving overall software delivery performance.

However, organisations adopting DevOps practices often struggle to manage the tensions between the goals of shortening the development cycle and the faster delivery of features pursued by the development teams and the stability goals pursued by the operations teams.

Of greater concern, both these teams tend to neglect security vulnerabilities that threat actors can exploit. According to a recent IBM report, the average global cost of a data breach now exceeds $4 million.

Despite increasing regulation by the EU General Data Protection Regulation and European Union Agency for Network and Information Security, the increasing trend toward developing cloud-based services and applications using Agile development processes also presents significant security concerns.

The COVID-19 global pandemic has given impetus to executing work-from-anywhere using critical software applications that add to these security vulnerabilities. The abovementioned IBM report found the average cost of breaches was $1.07 million higher in organisations supporting remote work.

Making sense of ‘Sec’ in DevSecOps

Neil MacDonald of Gartner initially coined the term DevOpsSec to draw attention to the need to incorporate information security within DevOps practices to balance speed, agility and security.

DevSecOps, as it is more commonly known, extends the objective of DevOps by advocating 'shift left' security, security by design and continuous security testing.

The lack of security culture can result in the different DevSecOps teams being at constant loggerheads.

Integrating the security team with the software development and operations teams allows team members to pay joint attention to information security matters throughout the software development lifecycle.

The distinctions between DevOpsSec, DevSecOps and SecDevOps are not clear in the academic literature. In the grey literature, the placement of "Sec" in the term appears to signify the priority given to security.

DevOpsSec is seen to prioritise development and operations at the expense of security. DevSecOps represents an improvement in the security culture but still prioritises development processes. Meanwhile, SecDevOps is the ideal term for security evangelists as it signifies prioritising security processes throughout the development lifecycle.

Although the academic literature uses these terms interchangeably, the term DevSecOps has become increasingly accepted by practitioners.

Incorporating security practices for agility in DevOps

Research firm Markets and Markets predicts DevSecOps will grow at a compound annual growth rate of 31.2%, reaching $5.9 billion in 2023.

DevSecOps transformations tend to incorporate advanced automated security practices for agility in the DevOps environment. Mainstream perspectives of DevSecOps tend to overlook the collaborative role of social actors and their interdependent relationship with technologies when securing software applications in organisations.

The techno-centric perspective emphasises using technologies such as containers, microservices, cryptographic protocols and origin authentication to secure the continuous deployment pipeline.

The other dominant view, the socio-centric perspective, focuses almost exclusively on the social aspects, such as organisational silos, culture and team collaboration.

Such one-sided perspectives neglect the socio-technical argument that secure software applications from continuous deployment emerge when developers, quality assurers, operators and security experts combine their collective expertise with the appropriate DevSecOps technologies.

Balancing human talent and technology imperatives in DevSecOps

DevSecOps incorporate information security practices early and throughout the development lifecycle to address confidentiality, integrity and availability requirements. These activities include performing security requirements analysis and compliance requirements.

It also ensures the team adopts security policies and performs security design reviews, code reviews and security tests. The team conducts security configurations, input and data validations, isolation of 'untrusted' software resources, threat modelling and risk analysis.

DevSecOps also uses tools to automate the insertion of security features into software applications, such as code review automation.

Whereas the waterfall model often relied on a single or few tools, Agile, DevOps and DevSecOps transformations can involve many diverse and specialised tools for planning, tracking, automation and management tasks.

A Tasktop survey of 300 enterprise IT organisations found that 70% integrated three or more tools and that 40% integrated four or more tools in their toolchains. The same survey also found that many software vendors have recently emerged to provide tools to support the DevSecOps environment.

While high automation has improved DevOps capabilities, some experts argue that assessing and testing system security can be challenging to automate. Such time-consuming and resource-intensive security activities can slow down the pipeline, which calls for high levels of collaboration with the security team.

Excessive groupthink due to close cooperation between the development and operation teams can be an obstacle to security. For this reason, the successful transition to DevSecOps goes beyond implementing security technologies into the DevOps toolchain by also emphasising human talent, effective decision-making and high-performance teamwork.

Leading the formation of a security culture in DevSecOps

The lack of security culture can result in the different DevSecOps teams being at constant loggerheads.

To build a security culture, organisations need to address behavioural changes within the security, development and operations teams. Integrating the security team with the development and operations teams to collaborate as an effective cross-functional team, while also ensuring security is included in every stage of the software development lifecycle, can be a formidable challenge.

IT leaders need to emphasise the importance of collaboration, communication and feedback between the security team and DevOps teams in realising continuous security. Besides teamwork, individual knowledge, skills and attitudes are also critical.

Security awareness meetings and security training for development and operations team members can also play a key role in developing a security culture.

IT leaders should also encourage members of the DevSecOps team to share their knowledge. For example, in the early phases of the transition, a developer who receives training from the security team can be appointed to be a security champion and act as a bridge between these two teams.

However, as the organisation's DevSecOps capability matures, everyone needs to accept responsibility for security. Building a 'blameless security culture' where team members take joint responsibility for delivering secure software applications is critical to the long-term success of DevSecOps.