Companies that develop software but don't bake security in during development do so at their own peril, says Intrust's Dave Hatter in a recent TechTarget article. Moving from DevOps to DevSecOps is going to require fundamental shifts in both thinking and operations. Some finesse is required to help developers and security practitioners work well together, Hatter said.
"As an application developer, I usually saw the security team as a giant impediment slowing me down, reducing my productivity and coming up with, what seemed to me at the time, ridiculous controls," Hatter said in the article.
DevSecOps Struggle Is Real
The article points to challenges DevSecOps face, including collaboration, role definition and the lack of skilled workers in this field.
But, Hatter is optimistic. "There is enormous opportunity here to see huge productivity gains, as well as massive improvements in the security and quality of code," he said.
In the DevSecOps model, security practitioners are involved from the design stage onward. This is as opposed to trying to make an application secure after its functionality is set. Proponents feel this leads to safer software across the board because continuous testing and improvement counterbalance emerging threats.
However, a DevSecOps shop is rarely built in a day. A recent survey by Enterprise Strategy Group found that, while 55% of IT and cybersecurity professionals said they have incorporated some degree of security into DevOps workflows. But, just 33% reported involving security teams from a new project's inception.
To execute a successful, meaningful shift to DevSecOps, security leaders and practitioners must consider culture, processes, tools and skill sets.
At Intrust-IT, our custom IT projects offerings include IT consulting on questions like when to bring in cyber security and planning in your product development.
Read the entire TechTarget article on DevSecOps here.