DevOps ushered in a new ecosystem for software development. It took two siloed areas, development and operations, and created a new framework and culture. However, it still wasn’t complete. Security wasn’t in the conversation. Hence, the pivot to DevSecOps, wherein security joined the pillars of development and operations. With all three now in a collaborative environment, do organizations now have the complete picture? Not yet. Gaps in DevSecOps still exist, but you can overcome them.
Why must security be a part of the process?
Security being a barrier for development and operations is really a myth—though it does have real-world consequences. A survey found that 68 percent of DevOps professionals said their CEOs often prioritize acceleration over security.
But does security need to be compromised for speed? Not with a DevSecOps foundation because security is part of the project from the beginning, and secure by design is part of the culture. Leaving security out of the equation is just a calculation for risk—risk in delivering a product that doesn’t meet user expectations and exposure due to security lapses.
Understanding the potential for greater risk and a need to be security-first, what are the current gaps and the keys to bridging them?
What are the current DevSecOps gaps, and what can be done to bridge them?
In defining the current DevSecOps gaps, there are several areas for inclusion.
The Cybersecurity Skills Gap
Cybersecurity is an ever-evolving discipline. Finding those with the right experience to take on the task in the real world can be daunting. A survey found that 74 percent of cybersecurity professionals say lack of expertise in the field impacted their organization. Those impacts varied from increasing workloads to the adoption of technologies to affecting the ability for deeper alignment between security and business objectives.
The most logical solution is to upskill current employees and keep them current on what’s next. Organizations can also strategize on DevOps recruiting to focus on security skill sets.
Cybersecurity Staff Shortages
The pandemic caused shifts in technology spending, resulting in layoffs, according to one 2020 cybersecurity workforce study.
More people joined the field in 2020, but that doesn’t mean companies staffed up. In the study, 56 percent of respondents said their organization is at risk because of staff shortages.
To cure this gap, companies can reallocate dollars to security professionals. It’s never been more important to be secure in a landscape of accelerated digital transformation. Security really shouldn’t be on the budget chopping block. Another possibility is to employ automation tools that reduce manual work, so the people you do have can focus on high-level work.
Erroneous Mindset of Security vs. Development
A big gap that’s not as visible as a lack of skills or staff is that a DevSecOps team is often in an us-versus-them showdown. Preconceived notions and erroneous mindsets in this manner are destructive for the DevSecOps culture and the company’s success.
In DevSecOps, every team member has shared accountability for security. Some roles aren’t actively doing the security work, but it needs to be a factor in every decision.
To solve this challenge, organizations need to have a clear message. Security actually supports agility; it doesn’t hamper it. Streamlining it with automation tools can speed up deployments without impacting security.
Further, there needs to be a strengthening of the DevSecOps culture to be one of trust. You can do this by creating working teams that collaborate and communicate on best practices, such as standardizing coding rules and other elements.
Failure to Threat Model
Threat modeling teaches all DevOps professionals how to think through and mitigate security challenges with new features. Failure to do this causes challenges. Thus, organizations need to perform threat modeling outside the pipeline. It’s a process, not a tool. Integrating threat modeling with new feature assignments is critical, as is teaching everyone how to do it.
Lack of Cross-Functional Support
DevSecOps teams can agree that security is essential. However, the gap will grow larger if appropriate time isn’t available to make it important. A survey found that 70 percent of professionals find a lack of cross-functional support to be a challenge.
Automation can shrink timelines, but they shouldn’t be the only line of defense. Ultimately, developers aren’t security experts, and security experts aren’t developers. They need to have support from one another. The solution is to construct intuitive workflows that integrate automation but ensure security experts complete the review.
What are some real-world examples of DevSecOps gaps?
Talking about gaps abstractly is a good foundation, but looking at real-world examples makes it tangible. Here are a few.
Nest “Smart” Thermostat Update
Consumers find “smart” devices convenient and practical, and adoption is growing. That doesn’t mean they always work. In 2016, Nest ran an update to their device, but the glitch literally left users in the cold. The upgrade drained the thermostat’s battery, letting the temperature drop. The problem? A firmware update error that may have been avoidable with DevSecOps.
Ola Software Security Flaws
Ola is India’s largest taxi aggregator. Unfortunately, in 2015, Ola had a tiny issue that turned into a major one. It allowed people to game the system and get free rides. A software engineer and security firm exposed the app's vulnerabilities, which caused reputational harm to the company.
Fortnite is one of the most popular games in the world, with more than 200 million users. It all goes back to an unsecured webpage from 2004 created by the game’s developer, Epic Games. A firm found the flaw, which allowed hackers to gain entrance into player accounts, including personal information, through multiple vulnerabilities on the platform. A required patch was never deployed, leading to exposure of personal data for millions.
Toyota Cars Accelerating Autonomously
Toyota has always been an admired company and very technology-forward. Sudden acceleration by Toyota cars caused many accidents and deaths. The cause was that the software in the cars had multiple security issues and systems with single points of failure. Millions of vehicles were recalled, and Toyota eventually agreed to pay $1.2 billion to avoid prosecution.
Security failures are more likely without bridging the DevSecOps gap.
DevSecOps is a trifecta of all the critical elements to ensure secure, fast, and reliable software deployment. Any gaps in the framework could spell failure, leading to breaches, frustrated or endangered end users, and reputational harm.
To close the gap, you’ll likely need to revamp your team to ensure you have the right talent. We can help. Contact our expert DevOps recruiters today to learn more.