Is DevSecOps making a Difference in Information Security?

devsecops
It seems nary a week passes without a story about a hacking incident making the evening news. Additionally, many CIOs report a skills gap when it comes to employing experienced information security professionals. As such, the demand for these IT pros is now going through the roof – as well are their salaries.

So what about DevSecOps, the cybersecurity focused variant of the DevOps methodology, slash, organizational structure? We’ve talked about it in the past and are wondering if it is truly making a difference in today’s technology world. Let’s take a closer look.

The Current State of DevSecOps in the Industry

Last month, SD Times looked at what inroads DevSecOps is making throughout the software development industry. They asked the same question as us: is it truly making a difference considering the never-ending scourge of cyber attacks and similar forms of nefarious behavior. Considering the difficulties some organizations encounter when implementing DevOps itself, it is simply too new to make much impact?

Derek Weeks, vice president and DevOps advocate at Sonatype, echoes that opinion. “I will say I think we’re early on in the DevSecOps movement of practices that are being implemented. I think with the organizations that have attempted to do it, they are seeing early successes and are happy with that. The vast majority of the market has not gotten their feet wet with DevSecOps practices yet,” said Weeks.

When looking at the recent tech news, however, it becomes time to quote Spock: “Mr. Scott, speed is of the essence.” The core of the issue involves successfully implementing security within a software engineering organization’s current DevOps initiatives. If those practices are still emerging, obviously adding the “Sec” to DevOps becomes more difficult.

A Cultural Change is Essential for a DevSecOps Implementation

A successful DevSecOps implementation requires both a cultural shift within a software development shop as well as buy-in from the executive team. Of course, these same things are necessary for switching to DevOps itself. Obviously, a mature DevOps organization will likely find it easier adding security to an existing framework.

Weeks feels security practices need to be actually embedded in the software development workflow, as opposed to tacked to the process after the fact. Making information security practitioners serve as a gatekeeper instead of collaborator isn’t the best approach. They need empathy for the entire SDLC. 

Training software engineers in the proper application of cybersecurity technology ultimately works better. This serves to foster the kind of teamwork and collaboration that is the hallmark of DevOps itself. It also provides companies the chance to close their information security skills gap in an internal fashion.

John Martinez, vice president of customer solutions at Evident.io, commented on the inroads DevSecOps is making at his firm: “I think the DevOps side of DevSecOps has definitely been much faster to respond and I think we’re starting to see, at least on our side, the cross-pollination on the security side where a lot of the agile practices are starting to fit over on the SecOps side.”

Ultimately, DevSecOps is a still emerging practice. However, the importance of companies successfully implementing it cannot be overstated.

That’s it for this edition of the Betica Blog. Stay tuned for additional insights from the wide world of software development. Thanks for reading!

News from the World of Software Development – May 2017

Welcome to this month’s collection of a few interesting software development news stories from the last few weeks. If you want to check out April’s news digest, simply click on the following link. Hopefully, the content within this May digest offers a measure of insight for your software engineering activities. Good luck!

Agile making inroads in Government Software Development

Nearing its second decade of use, Agile is finally seeing wide adoption in software development at government agencies. Doug Robinson, the executive director of the National Association of State Chief Information Officers (NASCIO) in the United States reported that 81 percent of state CIOs plan on increasing the usage of Agile and other iterative development methodologies at their shops. News about this Agile implementation growth appeared this week at CRN.

“We’re seeing a lot of excitement in the CIO world to be able to deliver projects on time and within budget using some type of agile methodology,” said Robinson. As government entities tend to be slow to embrace new technology methodologies, this growth in adoption is another obvious sign of the continued maturity of Agile.

Small Teams write more Secure Code

Teams with a small number of developers produce more secure applications compared to groups with more than 20 employees. That is one of the main conclusions from the recently released 2017 CRASH Report, published by CAST Software. As applications grow in size and complexity, they simply become too difficult to manage.

A chief scientist at CAST Software, Bill Curtis, commented on the survey’s findings. “Applications have gotten so big and complex that no single team can understand it all. It might have five or six languages, multiple databases, CRM systems, and you can’t understand all the interactions. That leaves teams making assumptions that in many cases are wrong,” said Curtis.

Shops wanting to write more secure code need to invest in the relevant training for their developers, while giving them the tools for performing both static and dynamic testing. Additionally, involving a third-party team in the final vetting of an application’s security offers a valuable second opinion before the code is deployed to production.

Microsoft switches to Git for Windows Code Source Control

Considering Microsoft’s investment in its own source control systems, it comes as somewhat of a surprise that the tech giant is migrating all the source code for its Windows operating system to the popular open source tool, Git. News about this move appeared this week in Ars Technica.

The reasoning behind this shift lies within Microsoft’s OneCore project which is aimed at simplifying the Windows codebase. Their previous source control solution for Windows, SourceDepot, was straining to handle the massive amount of source code involved, which includes 3.5 million files.

Redmond chose Git because of developer familiarity as well as its open source nature. The basic Git application needed to be updated to seamlessly handle the Windows source code. Microsoft created a fork in the Git code for this purpose and is talking with the other industry giants who use the app – Google and Facebook – about combining their efforts in the future.

Make a visit to the Betica Blog part of your daily routine before firing up your IDE in the morning. As always, thanks for reading!

DevOps helping Teams with IT Security

With the continued growth of mobile technology and Cloud Computing leading more users to embrace eCommerce, there has been a subsequent increase in cases of identity theft, ransomware, and other forms of cybercrime. Nefarious agents – essentially hackers – are finding more targets on a daily basis. This puts the onus on software developers to ensure their web application remain as secure as possible. Enter DevOps.

Application engineering firms are now leveraging the faster development speed provided by DevOps to ensure their software products – and user base – stay protected from cyber criminals. Let’s take a closer look at how this modern methodology helps teams with cybersecurity.

Automating Security in Software Development

One of the most important technical principles within DevOps is the use of automation to make certain aspects of the software engineering process more efficient and subsequently faster. According to a recent article in InfoWorld, automated routines are also helping teams implement cybersecurity throughout the software development life cycle. In the past, adding security routines to a codebase was cumbersome; this is apparently no longer the case.

A 2017 survey on “DevSecOps” by Sonatype noted a change in how developers felt about adding cybersecurity routines to their applications. 84 percent of the respondents now feel coding application security routines is a necessary safety measure, as opposed to something hampering their creativity or delaying the release date of the application. The increased use of automation to build security into software is one of the reasons for this change in attitude.

Wayne Jackson, Sonatype’s CEO noted the advantages of leveraging DevOps for application security. “DevOps is not an excuse to do application security poorly; it is an opportunity to do application security better than ever,” said Jackson. His company’s survey also noted that the organizations who have no issues adding application security tend to be the same ones with a mature implementation of DevOps itself.

Faster Software Development makes it easier to write Safer Code

As the automation ushered in by DevOps has led to a faster software development process, companies are finding it easier to improve their code in other areas, most notably in security. Tyler Shields, vice president of Signal Sciences, highlighted this change.

“Successful application security has been defined as increased automation that doesn’t slow down the development and operations process. Imagine a scenario where developers embrace security rather than find ways to work around it,” said Shields.

Some of these automated security routines include fuzz testing and software penetration testing. Both are an important aspect in truly vetting an application’s barriers against hacking and other cybercrime. Analytical routines used by continuous integration software also check for vulnerable code – both in-house developed as well as within third-party components. 

With hacking and ransomware in the news on seemingly a daily basis, software development companies known for writing secure applications will gain themselves a competitive advantage compared to those shops that still see cybersecurity as a hassle. It is yet another example of what DevOps brings to the table for any application engineering organization. 

Regularly come back to the Betica Blog for additional dispatches from the wide world of software development. As always, thanks for reading!