DevSecOps is DevOps done well

To develop and release faster, developers constantly add open-source components to their projects. Approximately 60 to 90 percent of code today is open source. This has the potential to introduce the following- Security vulnerabilities and License compliance issues – into the organization. Relying on developer reports and manual processes only provides a partial picture. Hence, security and compliance are an essential part of the DevOps process.

The development lifecycle is a repetitive process and security should be introduced at every stage. There is an existing ratio of 200:5:1 developer to operations to security people. This means that any security issue identified by a security scanning tool needs to be reviewed by a very small security team that may even lack the technical knowledge. This challenge can be reduced by shifting left to the developer and operations teams, making them also responsible for security and compliance, and moving security earlier in the SDLC process.

DevSecOps is an agile coding methodology targeting the implementation of security into software early in development. A DevSecOps culture is one in which everyone takes responsibility and ownership of security. Blending in with the best practices of DevOps, each development team should assign a security champion to lead the security and compliance processes and actions in the team to maximize the security of the software that is delivered.

In a study conducted by Verified Market Research, the DevSecOps Market was valued at USD 2.18 Billion in 2019. The same market is likely to reach USD 17.16 Billion by 2027. It projects that it will grow at a CAGR of 30.76 per cent from 2020 to 2027. The growing need for secure applications owing to the increasing number of cyber threats is the primary factor driving the growth of the market. Also, the rising demand for application delivery and increasing compliance on security is another factor that contributes to market growth.

The nature of DevOps is to automate as much as possible to prevent human errors and create automated gates to prevent having unstable code from getting into production. In essence, code with a security vulnerability or a non-compliant license is unstable. There are several families of security and compliance tools to address different aspects of the SDLC. This includes Static Code Analysis (SAST), Software Composition Analysis (SCA), and different approaches for testing the code for vulnerabilities (DAST and IAST). In addition, there are tools that are aimed to monitor and protect your binaries in production environments against attacks that exploit your code or your environment vulnerabilities. Ideally, teams should aim to adopt all these areas for complete SDLC security.

Software package repositories are becoming a popular target for supply chain attacks. Recently, there has been news about malware attacks on popular repositories like npm, PyPI, and RubyGems. Developers are blindly trusting repositories and installing packages from these sources, assuming they are secure. Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and CI/CD machines in the pipeline.The latest identity theft and credit card fraud statistics throw light on the importance of involving security measures in the process of DevOps. They're two of the most common financial crimes, and each of them saw significant growth in 2020. Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks.

Organizations that leave the Sec out of DevOps, may face security and compliance issues that are closer to their release, resulting in additional costs for remediating such issues. Hence, it is vital to embrace DevSecOps as an integral part of DevOps. The adoption of DevSecOps addresses all challenges faced by security and development during all phases of SDLC. DevOps-driven adoption of new processes and technologies confirms that security is not an afterthought. Application security was often treated as an afterthought. It was considered a roadblock to gaining or maintaining a lead over the competition. Bypassing or trivializing security is however a risky strategy that could have far-reaching repercussions.

Incorporating security is essential to the DevOps process as security can no longer be neglected or underestimated. At the end of the day, DevSecOps is DevOps done well!

The article is authored by Kavita Viswanath, GM JFrog India