If you’re a person working in security or software development, you’ve probably heard about DevSecOps before and wondered what it is or if it even works. Perhaps you’re a DevSecOps practitioner and sometimes you’re not sure about what you’re doing. Is it yet another tech buzzword? A trend? Well, this is the article for you because Eliza May Austin, a security expert and the CEO and co-founder of th4ts3cur1ty.company explored these and other questions around DevSecOps in All DayDevOps session called “WTF Is DevSecOps?” She is also the Founder and Director of Ladies of London Hacking Society.
So WTF is DevSecOps, anyway? Let’s explore.
Is DevSecOps Just a Trend?If you go to any job board and type in “DevSecOps,” you’re immediately inundated with multiple listings with titles like “DevSecOps engineer,” “DevSecOps practitioner,” etc. In addition, many developers, pen testers, and security engineers are suddenly adding DevSecOps to their CVs in the hopes of getting opportunities in the field or even more compensation. So there’s no doubt DevSecOps is trendy. Further, if you ask developers, they’ll say, “It’s great! We love it.” And people who claim to have integrated DevSecOps are also big fans.
However, most security engineers have no clue what DevSecOps is.
By definition, DevSecOps is the practice of including security in the development process. It’s mostly a philosophy or a process of doing things. Why would a philosophy/process have dedicated job listings?
Take the example of agile. As a security engineer, you might not necessarily practice agile, but you’d be able to work in an agile environment. Shouldn’t it be the same with DevSecOps?
All this indicates that DevSecOps might be a trend more than anything else.
In theory, it’s fantastic. Automating security? Security as code? All great ideas. However, in practice, it fails. Eliza polled multiple businesses in the UK and found that 88% of companies say they’ve already integrated DevSecOps or intend to integrate it in the next two to five years and yet, only 19% of these companies say that they’re confident in their security integration.
There’s no shortage of examples of apps that have gone live with vulnerabilities that were only discovered after shipping. What’s more, this is after the apps supposedly went through the DevSecOps process.
What’s going on with these problems in DevSecOps shops? Well, at some companies, you might even find that the security team and the DevSecOps team are located in different cities. And that’s a good indicator of where the problem might lie—in a lack of communication.
In fact, for the most part, it seems like the main reason DevSecOps might not be effective is that security teams are currently left out of the DevSecOps conversation.
At a glance, there are a couple of reasons this is the case:
So now what?
At the moment DevSecOps feels like this:
We’ll have to work on communication for this to get better.
In summary, DevSecOps is a great idea. But it will remain ineffective until we’re all involved in the process. That means security engineers, DevSecOps teams, and developers working together.
Think of it as the same way a marketing team and an HR team works on social media for hiring collaboratively. If the HR team just posted jobs on social media without marketing or vice versa, the project wouldn’t be successful.
The conclusion? If we could all collaborate on DevSecOps, we might have better results.