The start of the COVID-19 pandemic forced many companies to undertake digital transformation to adapt to new restrictions and maintain business operations. Restaurants worked to add or expand online ordering capabilities, schools moved classes to online offers, and thousands of other companies adopted remote work policies for the first time.
One transformation many companies have taken is to move from on-premises applications to cloud-based and cloud-native applications. Companies have been undergoing this transformation before the COVID-19 pandemic; however, the pandemic has accelerated adoption. The transformation to cloud-based applications, like all transformation, increases a company’s risk level. Digital transformation introduces additional digital risks, and migrating to the cloud increases the speed of change while also introducing unique risks. COVID-19 forced companies to undergo recent transformations quickly to respond to the changing environment.
In addition to digital transformations, the pandemic brought to light a need for companies to be more agile to better respond to evolving situations. Many companies progressed in addressing this need before the pandemic, as evidenced by the shift from Waterfall methodologies to Agile methodologies. One area that continues to lag is current security processes which have remained stagnant through the shift to Agile. As a result, we find ourselves in an environment needing to evolve quickly while taking on more and more risk. This evolution has played a part in an increase in malicious attacks during the pandemic, with ransomware attacks taking the most headlines, with 2021 having more than double the volume of attacks of 2020.
This environment puts the traditional drawn-out security process at odds with business goals and desired capabilities.
The current state of affairs
Today, businesses face the polarity of developing a secure and reliable application or moving fast. Often, leaders choose to move fast. Moving fast has plenty of benefits, such as increased agility, a higher chance of being the first to market with a new offering, snagging brand recognition, and more.
The choice to move fast does come with downsides, usually security. With the increased threat of attack and expanded attack surface, the traditional trade-off between security or meeting key business objectives is increasingly difficult to manage.
Security experts designed the current security processes for a slower, on-premises development lifecycle, not the speedy DevOps-driven SDLC of today’s modern companies. As companies continue to look for ways to move faster and adopt Agile methodologies and practices, they can innovate faster until security needs to get involved.
Being positioned on the critical path from development to delivery, security is in the prime position to create bottlenecks and slams the brakes on a fast-moving project. With the current difficulties in hiring IT professionals and the continuing skill shortage facing the cybersecurity industry, security teams are often short-staffed and facing burnout from the increasing internal demand on their department to protect from external threats. The traditional security gates lead to a build-up of demand on security teams, worsening the bottleneck and slowing innovation to a crawl. Traditional security processes could use an upgrade to meet modern demands.
Choosing security over speed is not without advantages. The obvious advantage is a more secure application that has less potential for vulnerabilities and is more reliable. Less obvious advantages can range from better code quality to a richer feature set, to higher user confidence in your application.
Imagining a better future
What if speed and security were not polarities? By reimagining the security process, companies can move quickly and ensure security, gaining the advantages of both. Development teams need to be enabled to secure what they build; at the pace they build it. Reimagining security for the cloud and today’s agile processes leads to the concept of DevSecOps. In the same way that companies have modernized and enhanced operations teams into the modern day with DevOps, DevSecOps can do the same for security.
How do we apply DevOps concepts to security?
One of the concepts of DevOps is “shifting left” or moving operations toward the development team and sharing responsibility. DevSecOps takes the same approach to security, transforming today’s security gates into tomorrow’s security guardrails. The transformation from gate to guardrail enables development teams to secure applications at the pace of development.
What is the difference between a gate and a guardrail?
Security gates block the path forward, much like a physical gate. In a cloud application, a security gate might be the security team needing to create all access policies for created resources. To follow the same logic, guardrails assist in keeping the “car” on the road or the application restricted to secure practices. Using the same example to change the gate into a guardrail, the security team can apply constraints to the build pipeline that validate all-access policies created and terminate the build should a policy fall outside of approved practices.
This switch ensures that security practices are followed and removes the need for the security team to be involved every time a development team needs to make changes. This allows development teams to move at their own speed and identify security issues early. In this simple example, multiple interactions between the development and security teams are removed, yet the impact remains the same. Security teams now have less on their plate, and teams can deliver applications faster.
While this is one example, many other components of today’s security processes can be switched from a gate to a guardrail. In each step, the security team plays a role in defining and constructing the guardrail. This accountability ensures the security policies are enforced, and the development team uses the guardrails to identify issues early and deliver a more secure application in the shortest time possible. As an application moves through the development lifecycle, the guardrails narrow, tightening restrictions as the project nears production.
DevSecOps requires a mindset shift
Successful companies can respond to market changes quickly and successfully. To achieve the necessary agility, companies often choose to move fast at the expense of security. This choice is no longer required with the implementation of DevSecOps. DevSecOps enables faster time to market, greater innovation, and more resilient applications. There are plenty of tools that can assist in implementing DevSecOps processes. However, DevSecOps is more than just implementing a few tools. It is a culture and a mindset that leaders must develop in their organizations. This mindset shift begins with understanding how you can leverage DevSecOps to develop offerings that take advantage of market shifts, embrace new technologies and enhance your organization’s security.