DevSecOps Outlook for 2021: Making "Sec" an integral part of DevOps to ensure secure software development

By Dennis Hurst, founder and president of Saltworks Security 

As application development teams plan for a much-needed reset, they're making sure security will be well represented throughout DevOps. Dennis Hurst, Founder/President of Saltworks Security (building world-class AppSec programs from policy to production), highlights five frontrunning realities organizations must accept to truly make DevSecOps a value-driving aspect of enterprise IT. 

(1) Application vulnerability is critical to data security. 

Data breaches are directly linked to vulnerable applications. Team members that downplay the importance of application vulnerability to securing data will cause IT to run wasteful rings around itself and compromise overall application security. Integrating security from the outset, especially given the increase of open source, will be the expected baseline for all software development initiatives. A greater focus on application security as part of DevOps processes will also mean an increased need for security data integration and centralized dashboarding that'll result in better enterprise application security management.

(2) Containerization will make the move to cloud, external and/or hybrid environments faster, easier and safer.

Successful operations that closely align security with development make it easier for companies to migrate to the cloud and support innovation. Leveraging containers will dramatically improve software delivery speed, platform independence, resource utilization and process reliability, as well as provide the flexibility and pipeline velocity required to meet new business expectations. Configuring containers correctly are is important to ensure they're secure and deployed successfully. Teams will need to plan, establish and monitor processes, educate people across IT and business groups, and establish infrastructure automation and support to see a return on investment.

(3) Adherence to DevSecOps requirements will be integrated into team performance metrics.

Companies will hold IT and business teams accountable for how well security is integrated into software development and aim to reduce the cost per bug factor to the smallest ratio possible. Secure coding and functionality will be so paramount to elegance, they'll be considered performance metrics on which people and products are measured. As that'll be the case, 2021 will bring significant additional virtual eLearning lab and training opportunities from IT management to development teams to ensure they know how to best use tools/technologies.

(4) Transparency, communication and security will be a quality CSO's most required trifecta.

Progressive CSOs have evolved further in 2020 and while many came out of the networking and/or operational security world, they've done their due diligence to amp up on development know-how to have a more holistic view of how IT and business factors are interconnected. Those CSOs will require that transparency, communication and security be the three foundation pillars of DevSecOps to ensure security is included in every aspect of application development. 

(5) Picking the right AppSec partner comes down to more than dollars and cents.

There's no shortage of AppSec partners in the market, but those that actually regard application development as a comprehensive cycle, from design to production to retirement, are harder to come by. IT teams will be more forthcoming to ask partners about their commitment to working in alignment with an organization's security goals at both a micro and macro business level. In addition, AppSec partners will be required to demonstrate how to measure and quantify success, because smart CSOs know that if you're not able to manage DevSecOps, the initiative is more likely to fail. 

##

About the Author

Dennis Hurst, founder and president of Saltworks Security, has been at the forefront of application security and software development for more than 30 years. Extensive managerial experience across all aspects of the software development lifecycle - DevOps, testing, QA, product strategy, IT operations, etc. - has made Hurst a trusted advisor of application security programs for Fortune 500 companies across every industry. 

As a founding member of the Cloud Security Alliance, he co-authored the first two versions of its Application Security guidelines and is an advocate for the Open Web Application Security Project. A sought-after industry speaker, Hurst also provides best practice and industry insight to the media, research and analyst communities. He remains committed to partnering with organizations to build world-class application security programs that support the rapid pace of enterprise software development.