From DevOps to DevSecOps: Why DevSecOps is so important?
Even before the outbreak of coronavirus, 2020 was set to be a big year for the UK cyber security space. We identified a number of big attack vectors, that would expect to take up CISO focus - vendor technology weaknesses, the proliferation of IoT, as well big regulatory shifts like GDPR that necessitated a whole lot of work. Coronavrius turned up the heat on these industry trends and then some.
Cyber attacks and the need to adopt the DevSecOps mindset
Sherrod DeGrippo, a senior director at cybersecurity firm Proofpoint, noted the increase in attacks across the manufacturing, pharmaceutical, travel, healthcare and insurance sectors. There were also widespread reports of suddenly exposed vulnerabilities to video conferencing apps like Zoom. Former Facebook and Yahoo security chief Alex Stamos observed from the sidelines: "This is going to get worse, as the entire infosec world descends on a spectacularly complicated product with lots of attack surface and some sketchy design trade-offs.”
It’s an incredibly interesting observation by Stamos. He nails one of the oppositions that most technology companies have taken at face value for many years - that speed of iterating is necessarily hampered by security - hence the ‘sketchy design trade-offs’. One of the things the outbreak of coronavirus has proved, is for sure the adoption of the DevSecOps mindset. It’s one of the trends that we identified earlier in the year, which involves injecting security practices into an organisation’s DevOps pipeline, and which blows apart this long-held assumption. There’s a strong case to say that had Zoom adopted this approach, their coronavirus woes might have been avoided.
Those who aren’t embedded in the infosec community are probably thinking to themselves: Here we go, another technology fad where we add ‘ops’ to the end of another word, but this is a seriously warranted “Opsification” to coin a phrase. DevSecOps borrows heavily from the DevOps tradition, and like its forbear will radically change best practices in the industry.
What is DevSecOps?
So, what exactly is DevSecOps? DevSecOps is a way of approaching security with an “everyone is responsible for security” mindset. So far, so vague. To be more concrete, here are five practices that encompass the DevSecOps approach:
- security and development teams collaborate on threat models,
- security tools are integrated in the development integration pipeline,
- security requirements are prioritised as part of the product backlog,
- infrastructure-related security policies are reviewed before deployment, and
- security experts evaluate automated tests.
This is but the scraping of the surface when it comes to DevSecOps implementation though. The reality is that for organisations to integrate security into the development lifecycle effectively, there needs to be a cultural and practical modification to the holy trinity of people, process and technology.
Yvonne Wassenaar, Chief Executive Officer of Puppet, has done a lot of work around the implementation of DevSecOps and her insights are fascinating. She defines the final stage of DevSecOps implementation under the catch-all: “self-service”. By which she means that incident responses are automated, that security teams are involved in technology design and deployment, and that security policy configs are automated. The path to get to this point though, she observes, is paved with difficulty. Organisations mid-way through this implementation report significant friction when collaborating with delivery teams.
The right skill set is important
This reveals some very useful insights for professionals in the UK DevSecOps market. Being technically proficient is just one piece that professionals will need to have in their armoury. Operation flexibility to navigate organisation change will also be necessary to implement DevSecOps into the deployment pipeline in a workable manner.
As well a thorough knowledge of DevOps principles, practices, and culture though, candidates will need to have a strong technical proficiency in their preferred coding language. A good DevSecOps engineer will also be familiar with Chef, Puppet, Checkmarx, and ThreatModeler, and they’ll also need to be conversant with the intricacies of risk assessment and threat-modeling techniques. It’s a fast developing area, and so having an up to date knowledge of cybersecurity threats is a must.
At this year’s Infosecurity Europe, held in London earlier in June, Deloitte cyber risk partner, Peter Gooch also picked up on the trend of DevSecOps: “2020 will see more deployment of security automation tools. Where this is done well, it will allow organisations to adapt rapidly to changing attack tactics. Where it is done poorly, it will be more complicated to unpick.” It’s clear to see that the market for top tier candidates who tick the above boxes is set to get fiercer.
Simply provide us your contact details and we will be in touch
Empiric is a dynamic technology and transformation recruitment agency specialising in data, digital, cloud, security and transformation. We supply technology and change recruitment services to businesses looking for both contract and permanent professionals.
Empiric are committed to changing the gender and diversity imbalance within the technology sector. In addition to Next Tech Girls we proactively target skilled professionals from minority groups which in turn can help you meet your own diversity commitments. Our active investment within the tech community allows us to engage with specific talent pools and deliver a short list of relevant and diverse candidates.
For more information contact
To view our latest job opportunities click here.