According to a new report from Gartner titled 3 Essential Steps to Enable Security in DevOps, by 2027, DevSecOps practices will be embedded in 85% of product development teams, as opposed to 30% in 2022.
For organizations still journeying toward DevSecOps, it’s a sticky wicket: As it is, they’re scrambling to inject security into DevOps while being tangled up in a spider’s web of regulatory, compliance and security requirements.
Product development teams are trying to get secure code out fast and to deliver customer value and agility at scale, say the report’s authors. But if security isn’t looped in to continuous integration/continuous delivery (CI/CD), those teams will wind up with “bottlenecks and wait states that inhibit agility and improved security,” write Gartner analysts Daniel Betts, Manjunath Bhat, Hassan Ennaciri and Chris Saunderson.
The result of isolating security teams from developers and I&O teams: Security doesn’t become an integrated part of the road to release. Rather, security becomes a roadblock — “a problem to fix later,” they write. “Traditional application security testing approaches are slow and gate-driven, which also create challenges in taking action on security and compliance test results.
“When security is not treated as a requirement to factor into development backlogs, it makes it difficult for I&O leaders to ensure that infrastructure and environments hosting applications meet security and regulatory requirements without sacrificing speed,” Gartner asserts.
3 steps to insert security into DevOps
According to the report, you’ve got to transform culture, practices and tools to integrate security into DevOps. Gartner offers these three recommendations to transform security from a roadblock into an integral part of DevOps:
- Make security a shared responsibility across the organization by recruiting and supporting security coaches within product teams to institutionalize secure coding and operations.
- Eliminate wait states and embed security throughout the DevOps life cycle by implementing DevOps shift-left practices (such as Software Composition Analysis [SCA]) and collaboration with security early in the software development life cycle) and shift-right practices (such as security monitoring).
- Reduce developer friction and augment security controls by integrating modernized security and risk assessment tools into DevOps workflows.
Below is a selection of some of the nitty-gritty details outlined in the report:
1. Recruit qualified internal talent to serve as security coaches
Instead of wringing their hands over the cybersecurity skills shortage, Gartner recommends that product development teams recruit qualified internal talent to serve as security coaches. “Identify developers who have an interest in security, and encourage them to volunteer for the security coach role,” Gartner advises.
Recruit: “Security coaches must be avid communicators and leaders who are committed to collaborating with developers about security best practices and the value of secure coding."
At a minimum, they should have baseline skills such as:
- Basic threat modeling
- Application Security (AppSec) testing
- Incident response
- Willingness to keep up to date on new skills and approaches
Train: Don’t just plop security coach trainees in front of computer-based security training, Gartner suggests. When creating training materials, I&O leaders should generate discussions about real-world dilemmas that their developers encounter, instead of just offering computer-based security training. Also, implement a program to recognize training milestones and skills development, such as a “belt” program that recognizes progress and nudges security champions up toward black-belt level.
Plug in: “Leaders must collaborate with security leaders to demonstrate the mutual value of the coaching program (such as reduced demands on the security team, greater knowledge of security practices in DevOps-enabled teams, speed and agility with no increased risk).”
Gartner recommends starting by selecting security brokers — members of the security team who have knowledge of development and DevOps processes — to interface with the coaches. Security brokers should serve as consultants with deep expertise who can prevent security from growing into a full-time job for the coaches.
Coaches and security brokers should collaborate regularly — say, weekly.
For more tips on creating a security coach program, check out the report.
2. Shift Smart
Gartner’s second essential step to inject security into DevOps is to Integrate security throughout the entire SDLC. That means both DevOps implementing shift-left security practices — as in, addressing security issues and testing as early as possible in the product’s life cycle so as to save time and resources through threat modeling, code review, security automation and vulnerability scanning — but also to shift security right, after code is released, in order to continually monitor the attack surface with automated tools.
“Use the control theory: prevent, detect and correct,” Gartner recommends. “Overemphasizing prevention slows things down, is expensive and doesn’t catch everything — largely just things you know. You must also invest in detection and correction capabilities to deal with the stuff that slips through.”
The figure below illustrates the Gartner take on the Shift-Left and Shift-Right approaches to automating security governance.
Contrast Security co-founder and CTO Jeff Williams has been exploring this issue in depth. Writing for Forbes Technology Council, he laid out a nuanced critique of when it makes sense for DevOps to shift left and when it makes sense to shift right. Williams has also published five principles of a new concept that takes the best of both shift left and shift right: It’s called Shift Smart.
“Rather than blindly shifting left or blindly shifting everywhere, organizations should shift smart,” Williams writes. “One key factor is to perform security testing only when you have enough ‘context’ — the details of how an application or [application programming interface, or API] actually functions — to accurately identify real, exploitable vulnerabilities.”
3. Don’t mess with developers’ flow
Finally, Gartner says the third critical step is to integrate security and risk assessment tools with DevOps workflows: In other words, don’t introduce friction by ripping developers out of their DevOps workflows and away from their trusted tools. Instead, whenever possible, integrate modernized security and risk assessment tools into the workflows and tools they’re already using.
“I&O leaders can use many of their existing security tools when integrating security into DevOps,” the report recommends. “However, the speed and frequency with which they run may be very different. In addition, they should implement new tools to address gaps in the toolchain and supplement existing capabilities to enable automation. I&O leaders must leverage a collection of automation tools to adequately integrate security throughout the DevOps toolchain.”
The figure below highlights key security tools and processes to incorporate at each of the 10 DevOps phases, all of which are also outlined in the report.
Methodology
The Gartner report is based on a review of more than 950 client inquiries mentioning DevSecOps and discussing AppSec that Gartner received from end-user organizations in 2022. The term “DevOps” was regularly in the top five most requested client inquiry topics against the IT operations agenda from July 2021 through July 2022 and among the top five most searched terms on Gartner.com between 2017 and 2022.
To read more, check out the Gartner® Report: 3 Essential Steps to Enable Security in DevOps.
Read more:
Gartner, 3 Essential Steps to Enable Security in DevOps, By Daniel Betts, Manjunath Bhat, Hassan Ennaciri, Chris Saunderson, 1 March 2023
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.