In 2019, DevSecOps is the buzz, but what exactly is the buzz all about, and why is DevSecOps a thing? Where did it come from, and where is it going, and why? Well, the answers to all those questions relate to how software has changed, and how the way we store data has altered.
What’s driving the DevSecOps movement right now is necessity. The left-shift to DevOps in recent years has resulted in faster and more flexible coding, but the trade-off so far has been a massive increase in vulnerabilities and an urgent need for better cybersecurity.
DevOps was initially driven by hungry startups – by their very definition, hugely scalable and hungry to grow fast – but the speed of deployment and dynamic software solutions that DevOps allowed went mainstream pretty quickly. Venture capital investment in DevOps-related companies is through the roof, ITProPortal estimates the market is worth $50 billion. However, there’s an obvious need to add value to DevOps products by improving security, and we’re going to look at why that is, so let’s go back to where it all started.
In the beginning, there was Waterfall – a cumbersome and slow method for software development. Waterfall was conceived back in the 1950s, it was based on the principle that development was a series of steps, and that each step must be completed and fully verified before the next could begin. Waterfall projects were a siloed approach and consisted of three primary teams. Developers wrote the code. Operations controlled resources and frameworks while assessing and maintaining functionality. Security personnel manually tested for vulnerabilities when all the code was written. Waterfall was slow, and deployments were infrequent, but with few modifications, the model endured for decades.
In 2001, software development finally changed when the AgileManifesto appeared. Agile aspired to be a new model and spoke of speedy and continuous delivery, and increased flexibility. Agile was the first step in matching the potential of IT and the global reach of the internet with software worthy of enabling it to host a technological and commercial revolution.
The AgileManifesto was a community reaction to slow and inefficient software development, at a time when demand for something more quickly scalable was increasing. Agile improved things by taking much of the rigidity out of project management, but it didn’t solve everything – and real flexibility remained a little way down the road.
It’s helpful at this point to remember that attitudes to the internet and software were constantly changing. The disruptive power of code was becoming harder and harder to ignore – both for traditional retailers, and investors. As Netscape co-founder Marc Andreessen put it in a 2011 Wall Street Journal article, software was eating the world – or at least, devouring traditional companies at a rapid rate.
“Six decades into the computer revolution, four decades since the invention of the microprocessor, and two decades into the rise of the modern Internet, all of the technology required to transform industries through software finally works and can be widely delivered at a global scale.”
Internet-based companies had the potential to scale – rapidly – and internet retail was a fast-approaching future. Nowhere had the revolutionary potential of internet companies ever been more apparent as when Borders made the ultimately fatal decision in 2001 to turn its online business over to Amazon.
Agile moved things forward by involving clients and removing some of the project management red tape, but operations were still very much siloed. The world needed an even faster software development model, and DevOps emerged with the promise to make the “continuous delivery of valuable software” aspired to in the AgileManifesto a reality.
Continuous delivery demanded organisations that built, tested and delivered updates to software – continuously. Using an automated toolchain and continually improving code along the way resulted in software which was permanently ready to deploy. DevOps had suddenly made software development lightning quick – but, it had happened lightning fast. Operations people started thinking more about day-to-day development, and developers benefitted from the automated systems that operations had put in place to help everything run smoothly.
DevOps gained momentum without manifesto or definition, it was based on a spirit of collaboration between development and operations teams, which ultimately arose because of a need to make things happen quickly. Commerce is what changed software, and it’s what drove the move away from traditional development. However, security missed the DevOps boat because past methods just couldn’t keep up with the pace. Legacy security practices had worked when applied to the year-long deployment cycles of Waterfall, but the automated pipelines of continuous delivery in the DevOps age demanded security which was just as agile and could keep up with multiple daily deployments. Security needed to evolve too, and SecOps had become inevitable.
The DevSecOps Manifesto calls for “Security as Code,” and prompts security people to think more like coders. The only way to make that happen is to get security involved from the very start of the development lifecycle. Operations and developers learned to work together to make DevOps happen, and now, security has joined the party. In short and as the name suggests, DevSecOps is DevOps – with security.
DevSecOps makes security everyone’s responsibility. The idea is to write security into the code – not to treat it as an afterthought – and to automate much of the testing to keep things fast. It’s an inevitable consequence of the way DevOps has empowered IT professionals and upped the software development ante. DevSecOps brings protection to the pipeline and adds value to products, by bringing once-siloed teams together to create software that is superior in both its rate of delivery and its resistance to penetration. DevSecOps does so by making security ‘part of the build’ – it’s one of the integral components that make up robust, reliable, and high-quality software.
For younger companies, founded in the cloud, DevOps with security probably just seems like a no-brainer. For decision-makers in larger organisations, however, the transition may sometimes seem harder to make. Talk to many C-level people about replacing extensive legacy systems and redefining company culture – they’ll see your lips moving, but many of them will just hear cost and effort. The fact is, however, that information can cost a whole lot more to lose – especially in a climate of increasing compliance legislation – and reputations can be hard to rebuild.
DevOps brought rapid software production, at a cost. A freer approach to development, combined with migration to the cloud left gaping holes in security, and bad actors are all over that fact. Consider the recent study carried out by KPMG and Oracle, which found that 45% of companies had faced attacks on known, but unresolved cloud-based app vulnerabilities. Add the fact that IBM estimates the average cost of a data breach to be US$3.92 million, and DevSecOps begins to look like a no-brainer for everyone.
Another recent study found that access to sensitive data such as source code and session identifiers was possible in 79% of web applications examined – up from 60% in 2016. The reality in 2019 is that DevOps has produced a more dynamic internet environment for companies – and a happy hunting ground for hackers. That’s why Gartner predicts the Australian IT security market will be worth $3.9 billion in 2019. The fact is that the quicker we produce code and applications, the faster the hackers react. The only predictable thing about the worth of the IT security market is that it will rise.
Australia Post moved their huge continuous delivery operation to Amazon’s AWS back in 2013. As reported by IT News in May, running Australia Post products and services means eight to twelve production drops daily and Head of Security, Steven Stojanovski says that the pace of change after their switch to the cloud meant a DevSecOps approach quickly became essential. “All of our teams are co-located, which means that we’ve got business stakeholders sitting amongst our engineers, and we even got security staff in that mix.”
While many of the benefits of automated tools and a DevSecOps culture accumulate over time, for Australia Post, one key result is striking. Stojanovski says that remediation of a security violation on their pipeline is rapid, “We’re talking about 30 to 45 seconds to remediate a particular condition, and that is magnitudes better than what we’d be able to achieve if we were using a more traditional approach. If we were trying to tackle these sorts of things without the help of automation, we might be talking about hours to remediate, days to remediate, weeks to remediate.” Stojanovski adds that 70,000 checks every month result in remediation and that the process costs Australia Post just $5 to run.
DevSecOps represents a workable, affordable, and robust solution to present-day global cybersecurity needs, building on the reforms of DevOps and continuing a new collaborative approach to software development. However, in addition to automation, there’s also a need to take a new approach to recruitment.
As the DevOps revolution prompted a need for flexible professionals with the ability to work across operations and traditional developer roles, DevSecOps presents a demand for a new breed of workers who feel at home with both coding and security – and here in Australia, we’re currently coming up short.
AustCyber is a government-funded not for profit organisation that seeks to advance the cybersecurity industry in Australia. While it acknowledges the potential of the market and increasing sophistication of cyber adversaries, it warns that Australia is missing out to the tune of hundreds of millions of dollars in cybersecurity revenue each year, because of a lack of qualified staff.
The available rewards which DevSecOps offers to flexible Australian cybersecurity staff are many. DevSecOps has long emerged from buzzword status and become a growing market where the skillset is new, and opportunities for career development are made inevitable by that fact.
Last year’s study by Malwarebytes illustrates perfectly the lengths that companies of all sizes are going to in order to attract and retain the right security talent. Australia is the higher payer globally – an indicator of how tricky it can be to identify a DevSecOps skillset. Australian entry-level salaries of $95,000, rising to $155,000 for senior roles in IT security, are a consequence of the developing DevSecOps job market. Often, engineers have been accumulating the skills required in DevSecOps for years while designing internal company security tools – but a simple keyword recruitment search will almost always fail to identify such attributes.
That’s why specialist recruitment partners, such as Limelight People, are driving DevSecOps recruitment in Australia – helping companies, and ultimately the IT security market to overcome a shortage of candidates – and reach its full multi-billion dollar annual projection.
Limelight People are always interested speaking to security minded Engineers & DevOps specialists. Feel free to get in touch any time to discuss the market.
David Steven – ds@limelightpeople.com.au