Strategic planning as a DevSecOps best practice is what Gartner addresses in their Integrating Security Into the DevSecOps Toolchain report. Such planning is crucial because it enables enterprises to face the key challenges that DevOps poses to their in-house development, operations, and security teams. Here are two illuminating stats from the report:
By 2022, 90% of software development projects will claim to be following DevSecOps practices, up from 40% in 2019.
By 2022, 25% of all software development projects will be following a DevOps methodology from conception to production, up from less than 10% today.
Moving to DevSecOps is becoming critical across industry and government to defend against new and emerging attack vectors. However, complexities, nuances, and challenges remain. The report highlights some of the challenges enterprises face as they move to DevOps:
- DevOps adoption is increasing as an alternative to traditional waterfall and agile development methodologies, but security and compliance typically remain afterthoughts.
- DevOps practices encourage automation to achieve scale, but security has traditionally been manual, process-heavy and gate-driven — the antithesis of automation, transparency and speed.
- Most developers have no knowledge of secure coding, including those versed in agile and DevOps.
- Traditional application security testing approaches weren’t designed for speed and transparency. Users now demand new features and updates to all their applications, not just the ones they download from their mobile device’s app store.
- For some applications in specific industries, new versions need to be government-recertified after every production update, making rapid change an issue. Gartner cites the example of pharmaceutical manufacturers may need to have the FDA recertify their production environment after certain kinds of software updates.
Gartner lays out a well-documented process for securing a DevSecOps toolchain starting with planning, especially threat modeling. They also advise security training as part of planning. Gartner also recommends Create, Verify, and Preproduction steps for DevSecOps with tool and recommendations which map to standard DevOps expectations. Further, they map out recommendations for Prevent, Detect, Respond, and Predict steps where security tactics and strategies such as DND measures and penetration testing. They also add an Adapt step to deal with any resultant Technical debt and incident response (IR).