Ran Nahmias, COO of Tamnoon. Follow me on LinkedIn or X (Twitter).
In many organizations, development and security teams operate in silos, only collaborating interactively when critical issues arise. This traditional separation leads to systemic problems, as each team narrowly focuses on its own goals rather than working toward common objectives.
The DevSecOps approach offers a solution by shifting security to the left side of the development process and leveraging DevOps practices for security operations. As more teams move their operations to the cloud, adopting a DevSecOps strategy helps enable development and security teams to proactively collaborate on building a secure cloud configuration—but this requires organizational and tooling changes.
The gap between development and security teams can be seen even from a distance. Development teams must adhere to their release chain, and any security concerns must be part of that. Security teams conduct their assessments and produce a report that development teams must then address.
But even in organizations where security and development teams work separately, they can (and will) collaborate in certain situations. For example, when C-level escalations force teams to resolve critical issues quickly, the response, fix, or patch will move quickly and collaboratively.
This reactive approach is often ineffective for obvious reasons, but it suggests that the capacity exists and just needs to be formalized. How can this be achieved?
Learning from the DevOps Movement: Bringing Security into the Fight
Leadership teams went through a similar exercise in the 2000s when adopting DevOps practices. Development and operations teams faced similar issues when operating as separate entities, with developers not being responsible for—and therefore uninterested in—how the application ran in production.
Today, DevOps teams are not without their challenges, but the increased scope of responsibility has created teams that are more focused on delivering the end-to-end product lifecycle. The natural next step is to integrate security into the DevOps framework, giving us one of the most buzzwords of the decade: DevSecOps.
There are two ways security and DevOps integrate: implementing security into the DevOps process and using DevOps processes for security operations.
Security for DevOps
This can be expressed almost universally by the phenomenon of “shift left.” Shift left means that security should be implemented as early as possible in the development lifecycle rather than retroactively. In large organizations, this is known as “security by design.”
This means that across the infinite DevOps loop, security becomes part of every step in the process and uses the same tools—for example, integrating infrastructure-as-code (IaC) scanning tools with version control systems to automatically identify misconfigurations in cloud resource templates.
Other security implementations could include integrating cloud security posture management (CSPM) tools to continuously monitor and enforce security policies, implementing least privilege access controls for cloud resources, or scanning container images and artifacts to find vulnerable components in CI/CD pipelines.
DevOps for Security
While the above is about implementing security into the development process for a more secure infrastructure, the reverse looks at improving security operations using a DevOps framework. CI/CD tools, version control, and infrastructure as code can be leveraged to help the security operations team become more agile and have a greater degree of customization and control over how they detect and respond to threats.
For example, security information and event management (SIEM) tools, the core tools of security operations centers, can have text-based discovery rules (discovery as code) recorded and scheduled in sprints, reviewed by a project board, and created in a repository structure, much like approval workflows and branches. Git repositories can store scripts and permissions to manage a SIEM alert engine, playbooks, connectors, or scripts using infrastructure as code.
Steps towards DevSecOps
Putting DevSecOps into practice requires changes on two fronts.
Regulatory changes
DevSecOps requires redefining team structures and responsibilities to create a culture of shared ownership. Developers should care about infrastructure security, while security practitioners should care about operational efficiency and development speed.
Tool and Process Changes
Development and security teams need a unified toolkit and a single source of truth. This includes shared version control, CI/CD pipelines, and monitoring tools, which can be extended with development- or security-specific tools as needed.
Implementing these changes is not a one-time effort, but rather an iterative process (similar to application development). Organizations must continually evaluate and improve their DevSecOps practices, tools, and team dynamics.
Finally
As cloud infrastructure becomes increasingly complex and dynamic, organizations can no longer afford to treat development and security as separate endeavors. DevSecOps offers a path forward by shifting security left in the development process and applying DevOps practices to security operations.
While adopting DevSecOps requires significant changes at organizational and tool levels, taking an iterative approach enables development and security teams to build a culture of effective collaboration. The end result is a more secure and resilient cloud infrastructure that is delivered at the speed of business.
Gartner predicts that misconfigurations will cause more than 99% of cloud security failures by 2025. Organizations can significantly reduce this risk by prioritizing infrastructure security through DevSecOps practices and adopting more public cloud technologies while maintaining a strong security posture.
The Forbes Technology Council is an invitation-only community for world-class CIOs and technology executives. Am I eligible?
