The Shift Left in DevOps Security Practices and What it Means for Developers
Businesses have begun to see the value of making security a holistic and well-integrated practice throughout software development lifecycles, rather than a checkpoint at the end of the SDLC. But, what does this shift to DevSecOps actually mean for development and security teams? And more importantly, is it attainable in today’s DevOps practices?
Here at StackShare, we’ve gotten a big-picture view of DevSecOps, from the perspectives of our community of over 1 million developers, CTOs, and enterprise architects. As we enter 2022, DevSecOps continues to expand - not just in theory, but in the practices of real-world development teams.
In addition, we’ve seen this growing need for solutions that bring together development and security priorities and added a security vulnerability reporting dashboard to Private Stackshare for Teams. By making it simple for developers to gain visibility for their entire SDLC, we aim to empower development teams to take the lead on secure coding, in a way that makes sense to their current methodologies.
What is DevSecOps?
DevSecOps is the natural evolution of DevOps, automating the integration of security during each phase of the software development lifecycle. From design to integration and testing, all the way through delivery and deployment - DevSecOps incorporates security throughout every facet of DevOps, rather than as a separate entity.
At its core, DevSecOps seeks to “shift security left”, addressing security issues as they arise during development, rather than at the end. DevSecOps makes security the responsibility of the entire development team, not just of the security silo.
DevSecOps benefits both the risk posture and general well-being of a business. An average of 50% of the apps at an organization without a DevSecOps practice are vulnerable to exploitation, while only 22% are vulnerable if the org has a DevSecOps practice.
Plus, overall job satisfaction ranks higher in organizations with DevOps Security practices; the hundreds of developers surveyed in 2020 by Sonatype indicated “the happiest developers are 2.3x more likely to be using automated security tools.”
Signs that DevSecOps is Finally Taking Off
DevSecOps is poised this year for take off as an achievable practice. While the concept has been around for a while, DevSecOps has just been an elusive and under-defined concept, rather than a realistic, attainable method.
Some takeaways from Morgan Stanley's Q4 CIO survey— Jamin Ball (@jaminball) January 12, 2022
- Software has the highest growth expectations in IT
- Strong demand in software persisting (not simply pull forward in 2021)
- Cloud computing remains CIO's top priorities
- Security software most defensible
More graphs below
Gartner’s latest Hype Cycle for Application Security has DevSecOps already ranking on the “Slope of Enlightenment”- step 4 out of 5 in Gartner’s progression of emerging technology. But it’s headed for the “Plateau of Productivity” (step 5) in the near future.
Another indicator of DevSecOps adoption is the job market. When assessing job title counts on LinkedIn, fewer than 5,000 people include it in their job title, yet more than 20,000 DevSecOps roles are listed. Gitlab also predicts that DevSecOps will continue to increase as more organizations see measurable benefits of a DevSecOps practice.
Two notable industry trends are helping to facilitate this shift towards attainable, real-world DevSecOps: more developer-focused tools and the gradual, informal adoption of security within development practices.
More Developer-Friendly DevSecOps Tools
The Importance of meeting developers where they are and offering assistance, rather than expecting them to learn new tools outside of the environments they’re familiar with, is critical for the success of DevSecOps adoption. Essentially, a developer shouldn’t have to backtrack or leave their environment to correct a security issue.
While there are ample security tools and services available, there continues to be a common gap plaguing developers from integrating DevSecOps successfully: there isn’t one complete pane of glass where you can see all the security vulnerabilities that exist across all your codebases. DevSecOps means no manual detective work should be required for fixing Common Vulnerabilities and Exposures (CVE) or tracking repos and apps it affects via scripts or custom solutions.
One of StackShare’s goals in adding a security vulnerability reporting to Private StackShare for Teams was to create a developer-friendly solution for viewing vulnerabilities. PSS, first and foremost, aims to provide visibility and organization for developers. Our solution includes dashboards of all tech stacks, packages, team members, and more within your organization, pull request integration for clear documentation, and organizational tools such as tags for sorting stacks.
The new security vulnerability dashboard makes it simple for developers to view all vulnerabilities in one place. Developers can now see open security vulnerabilities in the packages and libraries being used across all your Git repos in one interface.
DevSecOps Principles Adopted in the Day-to-Day, Not as a Formal Practice
When it comes to formal adoption of DevSecOps, a recent Forbes article put it this way:
"If you asked many organizations whether they have either a dedicated DevOps team or a defined DevOps culture, they’ll say no. But ask whether they’re doing continuous deployment, have a CI/CD pipeline, are shipping more to the cloud — we’d bet they’d say yes. It’s similar with DevSecOps."
A DevSecOps practice isn’t just a “we have one” or “we don’t”. It’s iterative, gradual changes. The right approach to effectively shifting towards a DevSecOps mindset is essential. Anything organizations can do to start shifting their security left will be beneficial - the closer security is involved in the conception the better. Overhauling your entire process is not necessary. Small, incremental process updates and changes in mindset is an effective approach to in cooperation security into your DevOps.
Researching and learning about the security tools available to your team is a great place to start. StackShare’s community can help you by providing a collaborative platform for you and your organization to gain knowledge from others.
Ready to get started? Sign up for Private StackShare for Teams today.