DevSecOps aims to bring security into the fold, moving it directly into the software development lifecycle. DevSecOps and the “shift left” movement need no introduction on The New Stack in 2020. DevOps, engineering and security have all been talking about embedding security earlier in the development lifecycle for years now. And there are some successes — AppSec and container security have certainly had their “shift left” moments, with tools like Snyk spearheading the way to put security tooling in the hands of developers.
This post is the first of two posts on why DevSecOps can end up backfiring within cloud native organizations and what you can do about it.
DevSecOps and the “shift left” movement need no introduction on The New Stack in 2020. DevOps, engineering and security have all been talking about embedding security earlier in the development lifecycle for years now. And there are some successes — AppSec and container security have certainly had their “shift left” moments, with tools like Snyk spearheading the way to put security tooling in the hands of developers.
Cloud security, on the other hand, has lagged on the DevSecOps front. Without confusing correlation with causation, we’re dealing with the consequences. Cloud misconfiguration is the number one cause of data breaches — which are just getting more expensive, while executives are only getting more concerned about them.
In the past year, while building the Bridgecrew platform, we’ve talked with many teams to understand their cloud security wins and challenges. Collaboration between security and DevOps was a common (if not the most common) topic of discussion. We heard how some cloud native engineering and security teams are incorporating far-left DevSecOps in the cloud super successfully. We also heard about how DevSecOps has backfired for others, creating almost insurmountable bottlenecks. In a two-part series of posts, we’ll share the common themes we heard on both sides.
It’s no secret that the motivations of DevOps and security are often at odds. DevOps is motivated by working iteratively and moving fast, while security gets a bad rap for being a hindrance.
DevSecOps is supposed to fix this — integrating security into the development lifecycle by embedding into code review processes via CI/CD — but cloud security isn’t quite there. The current cloud security model has traditionally been concerned with security and compliance of already deployed resources. While effective up to a certain point, that model happens by design outside of the development lifecycle. It’s reactive rather than proactive, and is often made redundant by the agile processes it’s moving asynchronously with. The same goes for GRC tooling and auditing, wherein point-in-time analysis of cloud environments occurs outside of engineering sprints and DevOps processes.
DevOps and Cloud computing are joined at the hip, now that fact is well appreciated by the organizations that engaged in SaaS cloud and developed applications in the Cloud. During the COVID crisis period, most of the organizations have started using cloud computing services and implementing a cloud-first strategy to establish their remote operations. Similarly, the extended DevOps strategy will make the development process more agile with automated test cases.
If you work in DevOps, it’s easy to feel like the security team is there to make your job harder. Likewise, if you are a security engineer, you may sense that DevOps doesn’t share your priorities and will never take security as seriously as you’d like.
What is DevOps? How are organizations transitioning to DevOps? Is it possible for organizations to shift to enterprise DevOps? Read more to find out!
Top Web & Mobile Application Development Company in India & USA. We specialize in Golang, Ruby on Rails, Symfony, Laravel PHP, Python, Angular, Mobile Apps, Blockchain, & Chatbots
Cybersecurity is a big concern for many companies. With data breaches happening more and more as attacks increase in sophistication, teams are looking at all of the options they have to prevent them.