The concept of Agile development practices has existed for some time; the goal being to leverage modularization and short, rapid development cycles to increase the rate of software development.

DevOps was designed to fix some of the shortcomings of Agile by embracing integration in all aspects of the development process. By fostering communication between different teams, DevOps breaks down silos that impede development. Through heavy use of automation and continuous integration and testing, DevOps enables development teams to minimize manual processes and identify errors and issues when they have a minimal impact on release timelines. Where DevOps falls short, however, is security.  While many development teams have embraced continuous functionality testing for their applications, the same cannot be said for security testing.

Security Integration for Efficient Development

For most developers, security is outside of their core skill set.  The majority of developers have not received the security training that would enable them to identify exploitable vulnerabilities in their code. As a result, security testing is often the responsibility of another team, such as the quality assurance or security team, and is subsequently delayed until late in the software development lifecycle (SDLC), if it is performed at all.

This decision to not prioritize security as part of DevOps practices may have short-term benefits to release timelines, but it also carries a heavy, long term cost to the organization. Unpatched vulnerabilities in application code contribute to the workload of security analysts responsible for protecting the organization against cyber threats. Exploitation of these vulnerabilities could result in a security incident that carries heavy remediation costs, reputational impacts, and regulatory impacts. The time and cost associated with discovering a vulnerability in production (through vulnerability scanning, bug bounty programs, or reverse engineering a successful attack) and creating and deploying a patch are significantly higher than if the same bug was identified and fixed during development.

Shifting Security Left in DevOps

Many organizations have acknowledged that a transition from DevOps to DevSecOps is necessary and cost effective.  By “shifting security left” in the SDLC, the company can minimize the costs associated with identifying and remediating vulnerabilities within their applications.

Making the switch to DevSecOps requires integrating security into every stage of the development process:

  • While creating use cases for a potential product, security use cases should be considered alongside features.
  • During development and testing, security tests should be created and run continuously alongside functionality ones.
  • In the testing stage of the SDLC, an application should undergo a penetration test to identify any overlooked issues.
  • Before release approval is granted, a software “bill of materials” should be generated outlining all of the application’s dependencies and demonstrating that none of them contain known vulnerabilities.

By making security a core part of the development process, an organization can dramatically decrease the cost of software vulnerabilities.  The average cost of correcting a vulnerability in development is $80, compared to $7,600 in production.

How MorganFranklin Can Help

MorganFranklin advisors can help an organization to develop the processes and infrastructure required to effectively shift from DevOps to DevSecOps. They offer in-depth knowledge of cybersecurity best practices and extensive experience in selecting, deploying, and configuring tools to support the integration of cybersecurity testing into DevOps pipelines.