Secure by design: How DevSecOps is changing the way we code

According to PwC’s 2018 report The Global State of Information Security: The Australian Story, only 36% of Australian businesses have an overall information security strategy, compared to the worldwide average of 56%. More tellingly, the report reveals that 74% of clients are prepared to switch vendors in the event of a data breach.

Companies are transitioning to digital experiences that are increasingly powered by mobile, cloud, and data analytics technologies. But these digital experiences are vulnerable to an increasingly bigger set of cyber risks, which is why cybersecurity considerations are appearing much earlier in the production cycle.

This has led to the rise of the relatively new practice of DevSecOps - an approach that seeks to integrate information security operations into DevOps workflows.

In current DevOps practices, the role of the developer from a cybersecurity perspective isn’t always clear, which means vulnerabilities may be missed or stay unaddressed in the final product. That’s why cybersecurity needs to be defined and embedded within developer practices and workflows, which is what DevSecOps aims to do.

This may lengthen the development cycle and increase upfront costs, but it’s important to look at the long-term impact. Not securing apps or processes at the development stage can result in glaring vulnerabilities and security risks that can cost much more to fix after the fact.

Three steps to DevSecOps success

DevSecOps doesn’t happen all at once for most organisations. Technology is just one part of it: implementing DevSecOps is an involved, iterative process that needs to be rooted in the culture of an organisation to be fully effective. There are, however, three key steps that need to happen to enable it:

Step 1: Integrating cybersecurity into the developers’ workflow

Integrating governance, risk and security processes into the DevOps workflow can seem cumbersome, but if you look at the bigger picture, it creates the potential for faster delivery at lower costs because it eliminates the need for audits, add-ons and fixes after completion. Automating security checks and controls as much as possible is the key, but everything needs to be aligned with the developers’ existing workflow. The great thing about DevSecOps is that since it aims to fit into traditional workflows, it allows each security risk to be translated for stakeholders like CTO’s and CROs, so they can see the potential impact on their specific domain.

Step 2: Removing vulnerabilities at the source

Typically, the bulk of a software application is built with off-the-shelf code sourced from third parties, which includes their own vulnerabilities as well. The way to address this issue is to build a repository of trusted code sources which have been reviewed, pretested and preapproved. With developers having a trusted library to source code from, it will save time by reducing the number of potential vulnerabilities the final product will need to be tested for.

Step 3: Making cybersecurity a part of the culture

‘Immutable infrastructure’ - the principle that any vulnerability shouldn’t just be ‘patched’, but the code overhauled entirely to fix it -  is an excellent example of the cultural shift DevSecOps represents. That makes information security a key consideration at the planning, policy and IT infrastructure levels. It also means developers have a clear remit on what elements need to be secured before coding even begins. This is a big cultural change that will take time and consistent support from all levels of the organisation to successfully implement.

In the face of increasing cyber risks in a digitised economy, DevSecOps is the way forward to create the safe, secure and resilient IT infrastructure that modern businesses and customers can rely on.