Why we believe DevSecOps is a redundant term
21 March 2022
Security is on everyone’s mind these days, and many are wondering what the proper approach is to keep applications secure. In this vein, DevSecOps is frequently praised as the next big thing for secure application development. We had a talk with Kilian Niemegeerts, managing partner at FlowFactor, to learn more about his interesting take on the importance of security in DevOps.
Why DevSecOps is a redundant marketing term
Kilian mentioned it before in our 2022 overview article: according to him, the term DevSecOps is simply redundant. “DevSecOps is often viewed as an extension of DevOps, some sort of brand-new one-stop shop that immediately fixes any and all security concerns. In my opinion, however, if you are doing DevOps without integrating security already, you are not doing DevOps right at all!”
Nevertheless, Kilian still appreciates the increased attention that the term’s popularity has brought to the security aspect of DevOps. “Unfortunately, we still see a lot of teams where security is an afterthought, which carries obvious risks. However, there are also organisations where a separated security division handles application security. While less obvious of a risk, this silo approach inevitably leads to lengthy delays in the development process. This means that you are no longer developing agile, effectively neutering one of the major advantages of using DevOps. At FlowFactor, we believe that a proper DevOps implementation accounts for security throughout the entire process. This requires an IT executive’s attention in two important areas: the infrastructure and the team.”
Infrastructure: security by design
How do you properly handle security when it comes to your infrastructure? Kilian explains: “Many companies rush to their firewall when you mention security, when instead they should take a step back and inspect the code of their application. Security technology, however advanced, becomes useless if your application architecture isn’t secure to begin with.”
Kilian stresses that modern applications have too many connections to rely solely on so-called ‘outer shell’ security solutions, like a firewall. Those legacy solutions simply no longer cut it. Companies should also consider the risk of an attack from the inside: “I’ve seen companies claiming excellent security, where most employees could access and modify crucial databases. In those cases, all it takes is a single disgruntled employee to take down your entire security strategy. Cloud-native applications can be part of the solution here, but they still require governance in order to be effective.”
The team: gathering security expertise
So, how can you achieve that proper security mindset? Kilian: “Quite simply, everyone in your DevOps team should have some degree of security expertise. Like I said, you can’t have proper security without secure code, and without secure code, you can’t confidently roll out incremental releases. That is why we suggest investing in education, just like we do at FlowFactor. Our employees receive a yearly stipend to educate themselves as they see fit. We’ve noticed significant progress in various areas of expertise thanks to the education budget, security being chief among them.”
Kilian has some more suggestions: “We highly recommend hiring a security officer in all cases, especially if you don’t have the in-house expertise yet. Those dedicated people can help to establish a security-first mindset in your organisation. Once your application finishes initial development and hits the production phase, we recommend setting up a security operations centre as well. Through tooling, this permits the security officer to identify, track, and resolve all security threats in one spot. In fact, keeping these external advisors on hand can be a substantial boost to your internal expertise, even in larger and more mature organisations.”
AI: the future of DevOps security?
When you’ve taken care of the essentials, there is a way to improve the automation (and therefore the efficiency) of security in DevOps even further: artificial intelligence. After all, Dev(Sec)Ops is all about automation. According to Kilian, the tooling landscape still needs to improve for this technique to be fully mature on its own. That doesn’t mean we should not already use it in certain supporting capacities, though.
As we mentioned in our DevOps advice for CTOs in 2022, AI is already providing tangible benefits for organisations through optimisations. It can be especially helpful when dealing with an ever-increasing amount of incoming data. Artificial intelligence makes processing and grouping that data stream workable again, whereas human operators can simply no longer keep up. When implemented correctly, it can even assess threats in real time, which is a tremendous advantage for the integrity of an infrastructure’s security.
Kilian continues: “Security is already a necessary addition to DevOps, and has been so for a long time. AIOps, while still relatively new, is another such necessary addition that further strengthens that security. By bringing automation and advanced monitoring to an environment, AI makes the entire system more secure and resilient. That is why we have recently launched our subsidiary stAIble. We want to keep our role as frontrunners and innovators in DevOps, and stAIble allows both us and our clients to stay ahead of the game. I’m excited to see where the future will take us.”
Don’t wait until it’s too late
In the end, security requires vigilance. Whether you are upgrading your infrastructure, investing in your people, or looking into advanced techniques like artificial intelligence, you should keep an eye out at all times.
As an IT executive, it’s often hard to maintain that vigilance in several areas at once. If you want to make sure that your DevOps project is implemented both efficiently and securely, give us a call. Thanks to our extensive internal expertise and that of the larger Cronos Groep, we can guarantee that your project will be held to the highest possible standards.