As the practice of DevOps grew, security was somewhat left behind. In bringing together development and operations, we missed integrating security deeply into these two disciplines. As a result, security was reduced to an afterthought, relegated to a place where its complexities weren’t adequately addressed.
In retrospect, organizations are trying hard to retrofit security across DevOps. However, expectations, practices and implementations around how they go about it are often primed for failure. In this article, we draw from our experience with successful security implementations — and the many failures on the way — to debunk common misconceptions, explore pitfalls and recommend best practices in getting DevSecOps right.
We believe this is especially relevant in the midst of the recent DevSecOps buzz. DevSecOps isn't a new concept; it's merely experiencing a resurgence in popularity. However, let us not be swept away by the hype. Instead, we must recognize the urgency of investing in this transformative paradigm.
1. Overlooking agility
Organizations often pursue security independently, as though it can swiftly adapt and become agile on its own. This is a fundamentally flawed outlook. No single project or product stream can be independently agile — such as security in this case — because they are really never fully independent. Agility must permeate the entire organization as a culture.
To enable this, start with a focused stream of implementation. Simultaneously, establish a robust support structure that includes fallback plans, resources, expertise, guidance, automation and necessary investments. Ensure that the implementation itself follows an agile approach for swift results and continuous progression through iterative cycles fueled by valuable feedback.
2. Gaps in accountability
In most organizations, there is a ‘security team,’ which is solely responsible for security-related issues. This structure isolates security from DevOps, compounding the challenges discussed in the previous section.
Prevent this by creating a culture of security with decentralized ownership and decision-making. Promote a sense of shared responsibility. Include champions who truly understand and care about security in implementation teams and business units. Empower them to guide their teams to make sure security initiatives are successful.
Encourage team members across various roles to integrate security considerations within their spheres of work. By finding ways to inject security seamlessly into the workflow, you can cultivate a security-conscious mindset without creating unnecessary obstacles.
3. The trap of tool-centricity
For many, DevSecOps merely means integrating security tools in pipelines. That is both a misconception and a mistake. What’s worse is that many unthinkingly follow commonly used tools, assuming one size fits all. While security tools are necessary, they are only a small part of the larger program, which involves development, operations, processes and the organizational culture itself.
Put the needs and goals of your organization at the center of your security programs. Conduct thorough assessments tailored to your specific needs for every tool you are considering. Evaluate the ROI of manual versus automated processes to make the right investment decisions. Remember that effective tools are important but not more than strategy.
4. Underestimating maintenance of automation
Automation is the bedrock of any good DevOps strategy. Yet organizations regularly underestimate and undervalue the importance of maintaining automation. An average security tool covers a wide range of use cases, not customized to your needs, goals, setup or environments. This can lead to false positives.
While you can’t avoid false positives entirely, you can manage them. Monitor false positives throughout the evolution of your continuous integration and development strategies. Be prepared for multiple iterations and failures. Initially, you might see a surge in investments to reduce false positives, but results are just around the corner as the tools align and efforts are reduced.
5. Missing, wrong or no metrics
Despite our best efforts, we often struggle to answer the question, "How confident are we in our security program?" This stems from overlooking the complexities of implementing DevSecOps accurately and neglecting the interplay of technology, culture, and processes.
To proactively uncover vulnerabilities, continuously measure performance with relevant key performance indicators. As your project evolves and circumstances change, adapt your metrics as well and regularly reassess the alignment.
6. Resisting change
A business transformation journey, at its core, is a change management program — for the organization and its partners. This needs thoughtful decisions around balancing flexibility and rigidity. While we customize practices for the organization's unique needs, we must also stay true to first principles and best practices. To respect organic growth, you must have patience with changes.
To achieve this, prioritize customization that aligns with your organization's unique needs while choosing tools. Invest in cultivating an internal community that thrives on knowledge-sharing and readiness for innovation. Establish a centralized platform that accommodates change management to ensure that decision-making is collaborative, progressive, and aligned with your DevSecOps objectives.
7. Implementation rush
When speed-to-market takes precedence over security, half-baked DevSecOps implementation becomes inevitable. But ‘quick to market’ doesn’t have to be rushed.
Instead of a sudden, all-encompassing implementation, use an iterative thin-slice approach. Begin by prioritizing essential safety measures and gradually develop a cohesive, security-embracing environment. Invest in incremental, high-priority, measurable achievements, which are integrated into your plan deliberately.
Avoiding the above seven common pitfalls will set a strong foundation for your DevSecOps practice. Building a robust structure on top of that foundation demands individualized strategies, assessments and implementations. As the economy, market, customer needs and organizational strategy evolve, so should the DevSecOps approach. Stay agile, adapt and steer DevSecOps toward success, greater efficiency and a long-lasting impact.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.
