News and Notes from the Makers of Nexus | Sonatype Blog

"WTF is DevSecOps?"

Written by Elizabeth Kathure | May 27, 2020

If you’re a person working in security or software development, you’ve probably heard about DevSecOps before and wondered what it is or if it even works. Perhaps you’re a DevSecOps practitioner and sometimes you’re not sure about what you’re doing. Is it yet another tech buzzword? A trend? Well, this is the article for you because Eliza May Austin, a security expert and the CEO and co-founder of th4ts3cur1ty.company explored these and other questions around DevSecOps in All DayDevOps session called “WTF Is DevSecOps?” She is also the Founder and Director of Ladies of London Hacking Society.

So WTF is DevSecOps, anyway? Let’s explore.

Is DevSecOps Just a Trend?

If you go to any job board and type in “DevSecOps,” you’re immediately inundated with multiple listings with titles like “DevSecOps engineer,” “DevSecOps practitioner,” etc. In addition, many developers, pen testers, and security engineers are suddenly adding DevSecOps to their CVs in the hopes of getting opportunities in the field or even more compensation. So there’s no doubt DevSecOps is trendy. Further, if you ask developers, they’ll say, “It’s great! We love it.” And people who claim to have integrated DevSecOps are also big fans.

However, most security engineers have no clue what DevSecOps is.

By definition, DevSecOps is the practice of including security in the development process. It’s mostly a philosophy or a process of doing things. Why would a philosophy/process have dedicated job listings?

Take the example of agile. As a security engineer, you might not necessarily practice agile, but you’d be able to work in an agile environment. Shouldn’t it be the same with DevSecOps?

All this indicates that DevSecOps might be a trend more than anything else.

In theory, it’s fantastic. Automating security? Security as code? All great ideas. However, in practice, it fails. Eliza polled multiple businesses in the UK and found that 88% of companies say they’ve already integrated DevSecOps or intend to integrate it in the next two to five years and yet, only 19% of these companies say that they’re confident in their security integration.

There’s no shortage of examples of apps that have gone live with vulnerabilities that were only discovered after shipping. What’s more, this is after the apps supposedly went through the DevSecOps process.

So What’s the Problem?

What’s going on with these problems in DevSecOps shops? Well, at some companies, you might even find that the security team and the DevSecOps team are located in different cities. And that’s a good indicator of where the problem might lie—in a lack of communication.

In fact, for the most part, it seems like the main reason DevSecOps might not be effective is that security teams are currently left out of the DevSecOps conversation.

At a glance, there are a couple of reasons this is the case:

  1. Developers are expected to also be security experts. But that’s ridiculous because no one expects security experts to also write code.

  2. Those in the security community can find themselves outside of the DevSecOps conversation if they feel development process discussions are beneath them or if they find it difficult to admit to not knowing things.

  3. There’s a general assumption in the industry that DevSecOps is an alternative to security when really the two should be collaborative.

  4. DevOps itself has outpaced traditional security controls. That leaves security to be handled separately.

So now what?

At the moment DevSecOps feels like this:

  • A completely different department
  • Something that does not involve me
  • Something that’s not my problem
  • A meeting I may have to go to occasionally
  • A concept people can’t agree on
  • A divisive issue
  • Something in another building
  • It’s assumed what it is agreed upon
  • Some automation thing the dev team does now
  • An actual security risk

We’ll have to work on communication for this to get better.

How Can We All Come Together?

In summary, DevSecOps is a great idea. But it will remain ineffective until we’re all involved in the process. That means security engineers, DevSecOps teams, and developers working together.

Think of it as the same way a marketing team and an HR team works on social media for hiring collaboratively. If the HR team just posted jobs on social media without marketing or vice versa, the project wouldn’t be successful.

The conclusion? If we could all collaborate on DevSecOps, we might have better results.