{"id":2699,"date":"2019-09-27T05:52:18","date_gmt":"2019-09-27T05:52:18","guid":{"rendered":"https:\/\/limelightpeople.com.au\/?p=2699"},"modified":"2019-09-27T05:52:18","modified_gmt":"2019-09-27T05:52:18","slug":"dev-secops-the-past-and-future-of-cybersecurity","status":"publish","type":"post","link":"https:\/\/limelightpeople.com.au\/information-tech\/dev-secops-the-past-and-future-of-cybersecurity\/","title":{"rendered":"DEVSECOPS: THE PAST AND FUTURE OF CYBERSECURITY"},"content":{"rendered":"

In 2019, DevSecOps is the buzz, but what exactly is the buzz all about, and why is DevSecOps a thing? Where did it come from, and where is it going, and why? Well, the answers to all those questions relate to how software has changed, and how the way we store data has altered. <\/span><\/p>\n

What\u2019s driving the DevSecOps movement right now is necessity. The left-shift to DevOps in recent years has resulted in faster and more flexible coding, but the trade-off so far has been a massive increase in vulnerabilities and an urgent need for better cybersecurity. <\/span><\/p>\n

DevOps was initially driven by hungry startups \u2013 by their very definition, hugely scalable and hungry to grow fast \u2013 but the speed of deployment and dynamic software solutions that DevOps allowed went mainstream pretty quickly. Venture capital investment in DevOps-related companies is through the roof, ITProPortal<\/i> estimates the market is worth $50 billion<\/span><\/a>. However, there\u2019s an obvious need to add value to DevOps products by improving security, and we\u2019re going to look at why that is, so let\u2019s go back to where it all started.\u00a0<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

\n
A Brief History of the Software Development Life Cycle<\/b><\/div>\n
<\/div>\n<\/div>\n

 <\/p>\n

In the beginning, there was Waterfall<\/span><\/a> \u2013 a cumbersome and slow method for software development. Waterfall was conceived back in the 1950s, it was based on the principle that development was a series of steps, and that each step must be completed and fully verified before the next could begin. Waterfall projects were a siloed approach and consisted of three primary teams. Developers wrote the code. Operations controlled resources and frameworks while assessing and maintaining functionality. Security personnel manually tested for vulnerabilities when all the code was written. Waterfall was slow, and deployments were infrequent, but with few modifications, the model endured for decades.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
\"\"<\/div>\n
Agile<\/b><\/div>\n<\/div>\n

 <\/p>\n

In 2001, software development finally changed when the AgileManifesto<\/span><\/a> appeared. Agile aspired to be a new model and spoke of speedy and continuous delivery, and increased flexibility. Agile was the first step in matching the potential of IT and the global reach of the internet with software worthy of enabling it to host a technological and commercial revolution. <\/span><\/p>\n

The AgileManifesto was a community reaction to slow and inefficient software development, at a time when demand for something more quickly scalable was increasing. Agile improved things by taking much of the rigidity out of project management, but it didn\u2019t solve everything \u2013 and real flexibility remained a little way down the road.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
Software Eating Big Business<\/b><\/span><\/div>\n
\"\"<\/div>\n<\/div>\n

 <\/p>\n

It\u2019s helpful at this point to remember that attitudes to the internet and software were constantly changing. The disruptive power of code was becoming harder and harder to ignore \u2013 both for traditional retailers, and investors. As Netscape co-founder Marc Andreessen put it in a 2011 Wall Street Journal<\/i> article<\/span><\/a>, software was eating the world \u2013 or at least, devouring traditional companies at a rapid rate. <\/span><\/p>\n

\u201cSix decades into the computer revolution, four decades since the invention of the microprocessor, and two decades into the rise of the modern Internet, all of the technology required to transform industries through software finally works and can be widely delivered at a global scale.\u201d <\/span><\/p>\n

Internet-based companies had the potential to scale \u2013 rapidly \u2013 and internet retail was a fast-approaching future. Nowhere had the revolutionary potential of internet companies ever been more apparent as when Borders<\/span><\/a> made the ultimately fatal decision in 2001 to turn its online business over to Amazon.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
\"\"<\/div>\n
The Rise of DevOps and the Need for DevSecOps<\/b><\/span><\/div>\n<\/div>\n

 <\/p>\n

Agile moved things forward by involving clients and removing some of the project management red tape, but operations were still very much siloed. The world needed an even faster software development model, and DevOps emerged with the promise to make the \u201ccontinuous delivery of valuable software\u201d aspired to in the AgileManifesto a reality. <\/span><\/p>\n

Continuous delivery demanded organisations that built, tested and delivered updates to software \u2013 continuously. Using an automated toolchain and continually improving code along the way resulted in software which was permanently ready to deploy. DevOps had suddenly made software development lightning quick \u2013 but, it had happened lightning fast. Operations people started thinking more about day-to-day development, and developers benefitted from the automated systems that operations had put in place to help everything run smoothly.<\/span><\/p>\n

DevOps gained momentum without manifesto or definition, it was based on a spirit of collaboration between development and operations teams, which ultimately arose because of a need to make things happen quickly. Commerce is what changed software, and it\u2019s what drove the move away from traditional development. However, security missed the DevOps boat because past methods just couldn\u2019t keep up with the pace. Legacy security practices had worked when applied to the year-long deployment cycles of Waterfall, but the automated pipelines of continuous delivery in the DevOps age demanded security which was just as agile and could keep up with multiple daily deployments. Security needed to evolve too, and SecOps had become inevitable.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
The DevSecOps Manifesto<\/b><\/span><\/div>\n
\"\"<\/div>\n<\/div>\n

 <\/p>\n

The DevSecOps Manifesto<\/span><\/a> calls for \u201cSecurity as Code,\u201d and prompts security people to think more like coders. The only way to make that happen is to get security involved from the very start of the development lifecycle. Operations and developers learned to work together to make DevOps happen, and now, security has joined the party. In short and as the name suggests, DevSecOps is DevOps \u2013 with security. <\/span><\/p>\n

DevSecOps makes security everyone\u2019s responsibility. The idea is to write security into the code \u2013 not to treat it as an afterthought \u2013 and to automate much of the testing to keep things fast. It\u2019s an inevitable consequence of the way DevOps has empowered IT professionals and upped the software development ante. DevSecOps brings protection to the pipeline and adds value to products, by bringing once-siloed teams together to create software that is superior in both its rate of delivery and its resistance to penetration. DevSecOps does so by making security \u2018part of the build\u2019 \u2013 it\u2019s one of the integral components that make up robust, reliable, and high-quality software.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
\"\"<\/div>\n
DevSecOps \u2013 the Early and Late Adopters<\/b><\/span><\/div>\n<\/div>\n

 <\/p>\n

For younger companies, founded in the cloud, DevOps with security probably just seems like a no-brainer. For decision-makers in larger organisations, however, the transition may sometimes seem harder to make. Talk to many C-level people about replacing extensive legacy systems and redefining company culture – they\u2019ll see your lips moving, but many of them will just hear cost and effort. The fact is, however, that information can cost a whole lot more to lose \u2013 especially in a climate of increasing compliance legislation \u2013 and reputations can be hard to rebuild.<\/span><\/p>\n

DevOps brought rapid software production, at a cost. A freer approach to development, combined with migration to the cloud left gaping holes in security, and bad actors are all over that fact. Consider the recent study<\/span><\/a> carried out by KPMG and Oracle, which found that 45% of companies had faced attacks on known, but unresolved cloud-based app vulnerabilities. Add the fact that IBM estimates the average cost<\/span><\/a> of a data breach to be US$3.92 million, and DevSecOps begins to look like a no-brainer for everyone.<\/span><\/p>\n

Another recent study found that access to sensitive data such as source code and session identifiers was possible in 79%<\/span><\/a> of web applications examined \u2013 up from 60% in 2016. The reality in 2019 is that DevOps has produced a more dynamic internet environment for companies \u2013 and a happy hunting ground for hackers. That\u2019s why Gartner<\/span><\/a> predicts the Australian IT security market will be worth $3.9 billion in 2019. The fact is that the quicker we produce code and applications, the faster<\/span><\/a> the hackers react. The only predictable thing about the worth of the IT security market is that it will rise.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
The Worth of DevSecOps and Automated Security Tooling<\/b><\/span><\/div>\n
\"\"<\/div>\n<\/div>\n

 <\/p>\n

Australia Post moved their huge continuous delivery operation to Amazon\u2019s AWS back in 2013. As reported<\/span><\/a> by IT News<\/i> in May, running Australia Post products and services means eight to twelve production drops daily and Head of Security, Steven Stojanovski says that the pace of change after their switch to the cloud meant a DevSecOps approach quickly became essential. \u201cAll of our teams are co-located, which means that we’ve got business stakeholders sitting amongst our engineers, and we even got security staff in that mix.\u201d<\/span><\/p>\n

While many of the benefits of automated tools and a DevSecOps culture accumulate over time, for Australia Post, one key result is striking. Stojanovski says that remediation of a security violation on their pipeline is rapid, \u201cWe\u2019re talking about 30 to 45 seconds to remediate a particular condition, and that is magnitudes better than what we\u2019d be able to achieve if we were using a more traditional approach. If we were trying to tackle these sorts of things without the help of automation, we might be talking about hours to remediate, days to remediate, weeks to remediate.\u201d Stojanovski adds that 70,000 checks every month result in remediation and that the process costs Australia Post just $5 to run.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

\n
\"\"<\/div>\n
DevSecOps: More Personnel = More Revenue + Less Breaches<\/b><\/span><\/div>\n<\/div>\n

 <\/p>\n

DevSecOps represents a workable, affordable, and robust solution to present-day global cybersecurity needs, building on the reforms of DevOps and continuing a new collaborative approach to software development. However, in addition to automation, there\u2019s also a need to take a new approach to recruitment.<\/span><\/p>\n

As the DevOps revolution prompted a need for flexible professionals with the ability to work across operations and traditional developer roles, DevSecOps presents a demand for a new breed of workers who feel at home with both coding and security \u2013 and here in Australia, we\u2019re currently coming up short. <\/span><\/p>\n

AustCyber<\/a><\/span> is a government-funded not for profit organisation that seeks to advance the cybersecurity industry in Australia. While it acknowledges the potential of the market and increasing sophistication of cyber adversaries, it warns that Australia is missing out to the tune of hundreds of millions of dollars in cybersecurity revenue<\/span><\/a> each year, because of a lack of qualified staff. <\/span><\/p>\n

The available rewards which DevSecOps offers to flexible Australian cybersecurity staff are many. DevSecOps has long emerged from buzzword status and become a growing market where the skillset is new, and opportunities for career development are made inevitable by that fact. <\/span><\/p>\n

Last year\u2019s study by Malwarebytes illustrates perfectly the lengths that companies of all sizes are going to in order to attract and retain the right security talent. Australia is the higher payer globally \u2013 an indicator of how tricky it can be to identify a DevSecOps skillset. Australian entry-level salaries of $95,000, rising to $155,000<\/span><\/a> for senior roles in IT security, are a consequence of the developing DevSecOps job market. Often, engineers have been accumulating the skills required in DevSecOps for years while designing internal company security tools \u2013 but a simple keyword recruitment search will almost always fail to identify such attributes.<\/span><\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

That\u2019s why specialist recruitment partners, such as Limelight People, are driving DevSecOps recruitment in Australia \u2013 helping companies, and ultimately the IT security market to overcome a shortage of candidates \u2013 and reach its full multi-billion dollar annual projection. <\/span><\/p>\n

Limelight People are always interested speaking to security minded Engineers & DevOps specialists. Feel free to get in touch any time to discuss the market. <\/span><\/p>\n

David Steven – ds@limelightpeople.com.au<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

In 2019, DevSecOps is the buzz, but what exactly is the buzz all about, and why is DevSecOps a thing? Where did it come from, and where is it going, and why? Well, the answers to all those questions relate to how software has changed, and how the way we store data has altered. What\u2019s…<\/p>\n","protected":false},"author":8,"featured_media":2734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","footnotes":""},"categories":[60,61],"tags":[],"class_list":["post-2699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-tech","category-marketing"],"acf":[],"_links":{"self":[{"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/posts\/2699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/comments?post=2699"}],"version-history":[{"count":0,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/posts\/2699\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/media\/2734"}],"wp:attachment":[{"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/media?parent=2699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/categories?post=2699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/limelightpeople.com.au\/af-api\/wp\/v2\/tags?post=2699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}