Industry executives and experts share their predictions for 2021. Read them in this 13th annual VMblog.com series exclusive.
DevSecOps Outlook for 2021: Making "Sec" an integral part of DevOps to ensure secure software development
By Dennis
Hurst, founder and president of Saltworks Security
As application development teams plan for a much-needed reset, they're making
sure security will be well represented throughout DevOps. Dennis
Hurst, Founder/President
of Saltworks
Security (building world-class AppSec programs from policy to production),
highlights five frontrunning realities organizations must accept to truly make
DevSecOps a value-driving aspect of enterprise IT.
(1) Application vulnerability is critical to
data security.
Data breaches are directly linked to vulnerable applications. Team
members that downplay the importance of application vulnerability to securing
data will cause IT to run wasteful rings around itself and compromise overall
application security. Integrating security from the outset, especially given
the increase of open source, will be the expected baseline for all software
development initiatives. A greater focus on application security as part of
DevOps processes will also mean an increased need for security data integration
and centralized dashboarding that'll result in better enterprise application
security management.
(2) Containerization will make the move to cloud, external and/or
hybrid environments faster, easier and safer.
Successful
operations that closely align security with development make it easier for
companies to migrate to the cloud and support innovation. Leveraging containers
will dramatically improve software delivery speed, platform
independence, resource utilization and process reliability, as well as provide
the flexibility and pipeline velocity required to meet new business
expectations. Configuring containers correctly are is important to ensure
they're secure and deployed successfully. Teams will need to plan, establish
and monitor processes, educate people across IT and business groups, and
establish infrastructure automation and support to see a return on investment.
(3) Adherence to DevSecOps requirements will be integrated into
team performance metrics.
Companies
will hold IT and business teams accountable for how well security is integrated
into software development and aim to reduce the cost per bug factor to the smallest
ratio possible. Secure coding and functionality will be so paramount to
elegance, they'll be considered performance metrics on which people and
products are measured. As that'll be the case, 2021 will bring significant
additional virtual eLearning lab and training opportunities from IT management
to development teams to ensure they know how to best use tools/technologies.
(4) Transparency, communication and security will be a quality
CSO's most required trifecta.
Progressive
CSOs have evolved further in 2020 and while many came out of the networking
and/or operational security world, they've done their due diligence to amp up
on development know-how to have a more holistic view of how IT and business
factors are interconnected. Those CSOs will require that transparency,
communication and security be the three foundation pillars of DevSecOps to
ensure security is included in every aspect of application development.
(5) Picking the right AppSec partner comes down to more than
dollars and cents.
There's
no shortage of AppSec partners in the market, but those that actually regard
application development as a comprehensive cycle, from design to production to
retirement, are harder to come by. IT teams will be more forthcoming to ask
partners about their commitment to working in alignment with an organization's
security goals at both a micro and macro business level. In addition, AppSec
partners will be required to demonstrate how to measure and quantify success,
because smart CSOs know that if you're not able to manage DevSecOps, the
initiative is more likely to fail.
##
About the Author
Dennis
Hurst, founder and president of Saltworks Security, has been at the forefront
of application security and software development for more than 30 years.
Extensive managerial experience across all aspects of the software development
lifecycle - DevOps, testing, QA, product strategy, IT operations, etc. - has
made Hurst a trusted advisor of application security programs for Fortune 500
companies across every industry.
As
a founding member of the Cloud Security Alliance, he co-authored the first two
versions of its Application Security guidelines and is an advocate for the Open
Web Application Security Project. A sought-after industry speaker, Hurst also
provides best practice and industry insight to the media, research and analyst
communities. He remains committed to partnering with organizations to build
world-class application security programs that support the rapid pace of
enterprise software development.