Developers need to be included into the security flow to catch code flaws sooner and establish behavioral baselines required to safeguard modern, user-facing applications. And the CISO’s role is evolving to be an enabler for the engineering team. This gives CISOs a unique opportunity to lead the organization with this change.
The broad digital transformation of organizations around the world continues to gather steam. Today, every company and organization must support a significant and diverse technology infrastructure. In reality, every major company is also a software company. It must have developers and a developer operations (DevOps) team to build and improve its digital assets - applications, websites, databases, cloud computing servers and more.
During the first part of the great Digital Transformation, DevOps empowered developers to manage infrastructure like software code. It did this by allowing them to both deploy applications and, with the same set of tools, describe how, when and where those applications should run. Developers used to have to wait days or weeks to get a new server provisioned for an application. Now they can do it in seconds with modern DevOps tools.
The Next Wave: DevSecOps
The next wave of the Digital Transformation must be security. To date, security has operated in a separate realm than software development. That must change. DevOps has accelerated the velocity and increased the frequency of application code changes and deployments. Today many large applications are updated with new code multiple times per day thanks to DevOps and Continuous Integration / Continuous Development (CI/CD). This would not have been possible in the pre-DevOps era.
This velocity means applications are developed faster but it also introduces security risks. The only way to keep that code safe is to provide the developers themselves with security tools that they can use within their existing workflows and give them clear value. This is a fundamental shift in security practices rather than waiting for cybersecurity teams to analyze security risks and vulnerabilities as part of code reviews or attack simulations.
By moving security analysis to become part of the CI/CD pipeline, developers can identify problems with code earlier. This would allow developers time to fix vulnerabilities and security gaps well before their code reaches production, reducing risks dramatically. On top of making security part of the dev-cycle, having run-time security components integrated with the application and the infrastructure helps ensure always-on security. In addition, this new always-on security is deployed wherever new code or applications are, making CI/CD smoother and safer. This means developers can roll out code to production faster and with less risk, knowing it is constantly being monitored and analyzed on run-time. This capability is critical as some vulnerabilities and attacks instantiate only during run-time. In an era of constant attacks on applications and shortages of competent cybersecurity professionals, it is critical that enterprises create better, more efficient ways to build applications. Adding security into CI/CD and giving developers the tools to take ownership and responsibility over their code, will accomplish that. It will also virtually enhance the security team with an army of developers.
Moreover, with companies running CI/CD and controlled experiments as a way of rolling out code, there's no more need for separate staging environments; instead new code is rolled out to production as an experiment. As a result of this shift, security will become a toolchain available for app developers. They can harness the value and benefits of security. In the process they will learn how to make security their responsibility as part of the normal app development lifecycle.
Making every developer a DevSecOps expert creates a far more holistic approach to web application and native application security. This approach is more proactive and preventative - and a lot less expensive and time consuming over the long haul. Adopting a DevSecOps approach is only one part of a broad and inevitable transition for all developers towards assuming more responsibility for application security - and creating a world where security starts with the code.
To dive deeper into this topic, including how it might work in practice, read my article in Dark Reading, Digital Transformation Risks in Front-end Code.