Organizations today are facing a unique challenge, specifically how to balance security with speed. While many may view those two as opposed values, there is a growing campaign to revise and revisit that assumption. As DevOps rises in popularity, this challenge has taken on even more importance, and security-as-code is the solution.
DevOps provides agility and responsiveness in a high-velocity development cycle; however, many outdated security procedures can present significant hurdles to developers. Many times, those developers are presented with the option to circumvent those security measures to get their work done, however that creates vulnerabilities within the system.
The recent Dynatrace Perform 2021 presented many opportunities for cybersecurity professionals to share their best practices. The event, hosted by one of the most impactful organizations in the space, featured numerous breakout sessions each of which contained large amounts of useful information. In one of those breakout sessions Rick Stewart, Chief Software Technologist at DLT spoke about embracing a “Security-as-Code” mindset from the start of any development process.
Security-as-code is something that GovDevSecOpsHub has written about in the past, most recently in an interview with Ubiq CEO, Wias Issa. In his interview, Issa shared his expertise on what security-as-code and a DevSecOps approach can bring to software development. “What is security as code? It’s about taking security and building it not just into the DevSecOps process but into the applications themselves,” Issa said. Where in the past, the development, security, and operations teams all would be siloed and with minimal contact between them, security-as-code has security as a central part of the entire process.
“Security-as-code and DevSecOps practices can definitely help mitigate risk,” Issa continued, but it requires integrated the tools and technologies that enable security into the development and operations process. Achieving that and getting an organization to embrace security-as-code requires a conscious effort to undo previously held beliefs. One such belief is that security is only important if you work on the security team.
“Security is everyone’s responsibility,” Stewart explained during his Perform presentation, “DevSecOps reflects that with development, security, and operations teams all working together.” From start to release, each team is working to the benefit of each other. Stewart highlights that this collaboration is critical not just to private ventures but to public sector organizations as well. “You are always working to reduce cost and to achieve what you set out in your mission and collaboration is a key part of doing that.”
Stewart continued by noting that DevSecOps presents a unique way for teams to share and collaborate more effectively as well, as “you need the team rowing in the same direction” to create secure and efficient software. With full supply chain visibility each team can quickly adapt and collaborate to address significant service interruptions or security vulnerabilities as quickly as possible, “users are accustomed to immediate services, they expect that from everyone including their government.”
Security-as-code is a shift away from the more traditional siloed approach common through software development and will require a “cultural transformation,” according to Stewart. People, processes, and technology must be the foundation of a security-as-code organizational culture, Stewart noted, “DevSecOps is not a technological transformant but a cultural one.” At the heart of that transformation is a desire for more interconnected software that is responsive, well designed, and secure.