DevSecOps, the new normal
The rise of DevOps is the latest evolution of the goal of IT/business alignment. It is an incremental evolution of agile development methodologies, which incorporates the way these developments are operated and enabled by next-gen cloud computing or edge computing technologies. Next-gen cloud computing and cloud-native technologies are based on container technologies that permit a greater granularity in the services developed, along with a better capacity to operate them. Cloud native also extends the reach of IT by enhancing the IT colonization of operational technologies (OT) and IoT, and therefore small service granularity as well as integrated operation that permits deployment on very small devices. Due to these capacities, DevOps is currently very successful. However, it generates specific cyber security issues. DevOps needs to go further – it needs to become DevSecOps.
DevSecOps could also be considered the goal of secure development, even if DevOps creates specific issues. With DevOps you are using a tool chain which, right from the inception of the particular project, encompasses the development, security, and operations parts with a test-driven approach, and, as security is a key issue from the beginning of the process, DevSecOps is also Secure by Design. Of course, security will complexify the processes, multiply the actors, and create a cultural shift between teams. However, it is definitely worth it for those organizations who want to stay ahead of the game, since it:
- enables the use of DevOps approaches for critical applications and all workloads, thus increasing agility;
- provides the capacity to monitor business needs and compliance requirements more closely; and
- helps to save money and time, because it is much more costly to resolve security problems at the end of the development cycle than at the beginning.
Due to this complexity, DevSecOps best practices must rely on strongly automated and standardized integrated development environments, backed by full systems and ecosystem visibility as well as a holistic single-pane-of-glass view and a centralized cyber security and IT management console.