At Anchore, we work across the spectrum of many organizations' transformation journeys to DevSecOps. One of the most notable and exciting transformations we’ve been involved with over the past couple of years is the U.S. Department of Defense (DoD) Enterprise DevSecOps Initiative. This initiative is perhaps best described by U.S. Air Force Chief Software Officer Nicolas Chaillan, in this video from Kubecon 2019. While we are fans of buzzwords and IT trends, we also are mindful of the different DevOps and DevSecOps stages of maturity each IT organization is at. In this post, we will share three key benefits of moving to DevSecOps at any maturity stage.
Before we dive into specifics, let's start with a definition from Wikipedia for DevOps:
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development lifecycle and provide continuous delivery with high software quality.
From this, we can describe DevSecOps.
DevSecOps is an augmentation of DevOps. It means thinking about application and infrastructure security from the start. It also means automating security gates to keep the DevOps workflow from slowing down. It builds on the cultural changes and philosophies of DevOps to integrate the work of security teams sooner rather than later. DevSecOps also underscore the importance of helping developers write their software with security in mind, a process that typically involves sharing visibility, and insights on known threats or malicious activity. In addition, it requires security teams to build security into the software lifecycle end to end, with a set plan for automation.
Benefit 1: Saving Cost and Time
Perhaps the most obvious benefit of incorporating automated security gates into existing software development workflows is saving cost and time. Shifting security left allows for vulnerabilities, misconfigurations, and other security risks to be caught closer to the developers, which means issues are caught early and triaged quickly. It is far cheaper and simpler to resolve a known security problem directly in the build pipeline or at the IDE step than post-deployment.
Benefit 2: Better Collaboration and Communication Among Teams
Perhaps an obvious one, but by bringing security into the conversation as early as possible, and promoting collaboration with development and operations teams, developers now see security as an enabler, not an impediment. This adds to a culture of openness, accountability, and transparency across applications, infrastructure, security and compliance requirements, and runtime environments.
Benefit 3: Faster Response to Changing Customer Needs
Somewhat related to the first benefit, however important to highlight the importance of rapid response to changes in the marketplace. For any organization developing and shipping software products or services to end-users, there are often compliance requirements for handling sensitive customer data, or security standards and audits SaaS or PaaS providers must meet. These requirements often struggle to keep up with the pace of technology innovation, however, the more automation and collaboration IT organizations can put around compliance requirements, the better they can adapt when new changes are published.
Conclusion
The above three benefits certainly aren’t meant to be exhaustive, however, based on our experience being embedded in one of the largest transformations to DevSecOps, these are the three we’ve seen as most impactful across the DoD organization.