To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What problems are solved by DevSecOps – where is the greatest value realized?" Here's what they told us:
Velocity
- Product and company velocity of delivering features to customers. How fast customers are gaining value from new features or client requests. We're confident to say we are continuously shoring up our defenses. If everything had to be manually vetted, you could not keep up. Confidence in delivering secure, high-quality software.
- With proper attention paid to security, product development and distribution would be much safer and faster.
- Protecting data and applications without affecting business operations. DevOps provides a quicker time to value for customers and does that continuously throughout the product life with the end user. DevOps may ultimately evolve into such an efficient process that it provides real-time deliverables. In that environment, speed is essential. Protecting without impacting is what DevSecOps should strive to become.
- 1) DevSecOps solves for both DevOps and Security/Compliance at the same time. It enables businesses to rapidly bring new applications to market but in a safe and compliant manner, ensuring business requirements are met or exceeded along the way. At the same time, implementing DevSecOps also requires the service organization to mitigate, avoid, transfer and accept any residual risk necessary to operate and reach customers. The greatest benefit to a service organization of DevSecOps is continuously learning from customer feedback though lightning fast application deployments – without having to compromise on security or compliance. 2) In the same way that DevOps helped reduce the psychological distance between the development and operations teams, DevSecOps brings security into the fold and become part of the ongoing engineering process. This has security benefits, of course, but it’s a rising tide that lifts all boats – a secure system will be more reliable and resilient, with a better ability to detect unexpected activities of all kinds.
- DevOps started because of the desire for speed. We’re seeing quicker releases. When I look at the overall market it’s probably the reduction of risk by designing with security baked in from the beginning.
- It comes back to the different kinds of risk that exist. In financial services, there are regulations and fines tied to regulation. How damaging can a breach be to the brand? The cost of implementing good security controls doesn’t have to be extreme. Companies can adjust the amount of work, effort, and cost to the risk they have. If databases have security built in it reduces risk.
- The greatest value of DevSecOps lies not with automation and efficiency, but rather, in the ability to help the business manage cybersecurity risk. This means all DevSecOps activities should focus on managing risk and improving cyber resiliency for the organization.
Security Conscientious
- Security becomes a top motivation. By default, DevOps provides uptime, feature velocity, and scale. If DevOps is working, security is built-in.
- Embracing DevSecOps maintains innovation velocity that translates to the achievement of business goals without skimping on security. More professional DevOps take security seriously being mindful about how things work and how things work securely.
- We have all heard about large organizations being sued and hurting their brand image due to security vulnerabilities in their software and applications, and the applications causing compromise of customer information. DevSecOps ensures that security is a norm and not an afterthought, ensuring developers always develop with the security of applications in mind.
- Culture developed around it. Everyone is responsible for security. Automation of tools to keep up with speed and agility is great. Make sure you’re building security into every phase. Data breaches could be the result of a design flaw, not just bugs. If security is implemented in design the breach may not have secured.
- DevOps in the early days is about moving fast and agility. But then realize you can’t improve speed without improving security. No number of features or availability will stop security incidents. Helping clients ensure security in the fast-moving environment.
- The goals of development teams — speed, flexibility, innovation — can seem at odds with what security teams need to do, and traditional models of security are often perceived as blockers for development. A DevSecOps culture that unites both groups around a shared objective and pushes security “to the left” weaves security steps into developer workflows and results in faster, more secure releases without stifling developer innovation. Whatever the mission of the development organization, a DevSecOps culture supports and enables it, positioning security as a partner for successful software delivery.
