When developing digital products and applications, DevSecOps can support the challenging business goals of organisations to improve operational efficiency and open up innovation while maintaining security and compliance. However, for a successful DevSecOps implementation, you need to overcome several hurdles.
DevOps came into life as a solution to support agile transformations by uniting software development (Dev) and life cycle operations (Ops) in an automated process. The biggest advantage is that controls are embedded in the process of product creation and release rather than manually testing after the development team has finished. This allows organisations to develop and deliver applications faster, keep up with the speed of business and meet customer demand.
In traditional software development, security is addressed in the final stages and manually tested. When you only detect security issues at the end of the development process, you waste a lot of time going back through the whole process unnecessarily.
With the DevSecOps methodology, security isn’t an isolated task at the end of the process. It’s a shared responsibility throughout the entire IT life cycle, embedded in the process from the start (shift left). This involves automating security tests and updates, centralising user identity and access control features, and implementing end-to-end accountability for security.
Adopting the DevSecOps methodology in your organisation comes with challenges that you can’t underestimate. Regardless of their knowledge or experience, organisations often experience the same hurdles:
- Resistance to change
- Development teams need to learn new skills, tools and practices and accept responsibility for their product’s security, reliability and compliance. If you don’t approach this carefully, development teams may be reluctant to adopt change.
- No clear business case
- Sometimes management picks up DevSecOps somewhere as a buzzword. But without a clear view of the return on investment (ROI), the upfront costs of changing development practices may seem daunting, increasing resistance to change.
- Security as a showstopper
- Developers often see security controls as delays to their development process, because they experienced it that way in their traditional way of working. This leads to fear and resistance to a tighter integration of security in the product development life cycle.
- Balancing speed and security
- Developers focus on deploying applications quickly, while security teams are concerned with ensuring compliance. Traditionally, both parties work in silos. If security isn’t properly enforced in the DevOps process, this could lead to operational friction and delays.
- Lack of resources and knowledge/skills
- Developers and security experts have different knowledge and skills and speak different languages. This creates a gap in understanding.
- The risk of open source
- Using third-party open-source projects without auditing them introduces the risk of vulnerabilities.
Best practices for applying DevSecOps principles
Adopting DevSecOps is a big organisational change that impacts every step of the product development life cycle and every member of the team. You can start small, but to do it properly you need a well-thought-out strategy because it’s a long journey with a lot of hurdles.
Thankfully, there are some best practices you can follow to overcome these hurdles:
- Get leadership involved
- Your organisation needs a cultural shift for DevSecOps, and this requires top-down support from leaders to promote and reward the transformation. To ensure risks are managed, also involve security and compliance leaders.
- Adopt a DevSecOps culture on the spot
- Implement a user adoption and training plan to limit resistance to change. Start with small pilots to demonstrate success and scale up initiatives.
- Create autonomy and empowerment
- Engineering teams must own responsibility for security. They should learn from feedback given by automated controls regarding security issues, so they’re able to resolve them without help in the future.
- Teach the tools
- Implement proper training and support to effectively use new tooling. Give developers time to adapt to the new tools and to use them to their full potential.
- Put the right technology in place
- Modernize and migrate applications to the cloud, understand what each tool does and which ones are suitable for the project.
- Set governance and processes
- Develop a clear change management strategy, communicate changes in processes, policies and technologies, and use an agile methodology to make incremental changes towards the desired outcome.
- Measure and reward success
- Implement the right metrics, parameters and milestones aligned with the organisation’s strategic business goals. Measure and reward success so people see they contribute to the organisation.
- Manage differences
- Don’t force a one-size-fits-all approach, but adopt the differences in developer maturity, tooling and policies.
- Identify the risks
- Build a threat model to evaluate your current tools, identify the threats that impact your organisation, and prioritise the risks in terms of criticality and impact.
If you want to learn more about best practices for implementing DevSecOps, read our ebook “Breaking down the silos: How to adopt DevSecOps and create a security culture in your organisation”.