In recent years there has been significant progress integrating security into software development lifecycles. However, software security is necessarily dynamic and evolving, which inevitably results in some fallbacks, too. The good news is that, as with any challenge, there are some positive lessons that can give us foresight into where DevSecOps is heading in 2019.
Security As a Shared Responsibility
One of the biggest pitfalls in the past few years has been that DevOps has not properly embraced the 'security-as-code' philosophy that is central to DevSecOps. Given that threat profiles are constantly evolving, security teams and release engineers need to collaborate in a flexible manner. The good news is that this is happening now. According to Gartner, in 2019, "more than 70% of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components and commercial packages, up from less than 10% in 2016."
However, shifting to DevSecOps isn't always easy, given that there are organizational challenges. Historically, security has operated in its own world, which has resulted in bottlenecks. The goal of an integrated pipeline for the continuous delivery of solid code can only be realized if the gaps between traditional IT and security are bridged. DevSecOps requires that even non-IT stakeholders acknowledge that security is a shared responsibility, which is rarely the case for most businesses.
In 2019, organizations will continue to focus on marrying two factors that have traditionally been at odds—security and speed—in an elastic, agile environment. With this approach, security issues are dealt with as they emerge, and not at some later date. If done properly, they can be addressed within each relevant iteration, without slowing down delivery cycles. This is critical, but, due to many DevOps environments not properly addressing security within native applications, scaling software in a secure manner will continue to pose serious challenges to many developers.
Leveraging the Cloud
Inevitably, the market will see separate security teams transitioning from working exclusively on layering code to engaging in a collaborative fashion with a range of stakeholders. To do that, cloud services will have an increasing role to play in 2019. The pitfalls of the past, where static layers were added in a reactive and ad hoc manner, will increasingly be replaced by security controls that take a preventive approach, and that leverage the cloud to allow for continuous integration.
Bridging the Organization Gap
The human element is critical here, as is the role played by individuals to react meaningfully and quickly to the early detection of vulnerabilities. Automated builds that accelerate development cycles, and faster response times within quality assurance testing, will put more pressure on security teams to deliver the right fix in a timely manner. This will also put more pressure on the C-suite, where the increased presence of security professionals has caused some friction.
The challenge in 2019 will be to see DevSecOps as an enabler of viable, long-term software solutions which, critically, won't slow down development. Most importantly, the message will be that baking security into DevOps is critical for the long-term viability of any product.
Finding the Right Employees to Build Better Security Practices
Over the past few years, one thing that organizations have learned is that security breaches have not always been observed first by the IT group, or even the IT security team. This is a disturbing and even frightening reality, and yet some organizations have been slow to recruit the broader employee base to be vigilant with regard to breaches. Nonetheless, the necessary cultural shift is happening, and we will see more evidence of it in 2019.
DevSecOps is a multi-year phenomenon that is really picking up steam: according to Gartner, by 2021, DevSecOps practices will be embedded in 80% of rapid development teams. That's a big increase from 2017 when it was at 15%.
[IT OUTSOURCING SERVICES | PSL deploys high-performance agile teams]
We can expect to continue to see examples of software flaws that are discovered by HR, finance, or even—and this is worrying—by B2B or even B2C customers. Of course, these various stakeholders will not be writing code, but there's no reason that their input can't play an import role in DevSecOps. This is a significant cultural shift, but by no means impossible; it can be enabled by technology, with continuous penetration and automated testing that motivates developers to be in a state of permanent vigilance, while they stay in communication—and on friendly terms—with employees throughout the enterprise.
Learning from the Past and Looking Ahead
This broad cultural shift is part of an important DevSecOps trend inspired directly by the hard lessons of the past few years, where, for some organizations, breaches have presented a significant reputational risk. Increasingly, the business community understands that every business is a digital business, with software security central to the viability of the enterprise. That said, many companies are still married to an old-school approach, where security teams work in isolation and slow things down with heavy-duty testing.
Throughout 2019, DevSecOps will help companies stay secure in the face of attacks on operational technology systems, as well as cybersecurity threats within cloud environments. For many organizations, the challenge will be to conduct code analysis, compliance monitoring, threat investigation, and vulnerability assessment, all while embracing the change management that DevSecOps requires.
It's a tall order, but the inclusion of input from stakeholders outside of the security group, and even outside of IT, will be critical to ensuring that an enterprise is as secure as possible. DevSecOps will evolve to be ever more vigilant in the face of the threat placed by shadow IT, and security training will inevitably assume a more important role. In the context of security, digital workers can be more than potentially leaky end-points—they can be sources of valuable data on how to keep enterprise IT systems secure