A 17% YoY increase in data breaches was recorded by Identity Theft Resource Center in 2021. Almost 100 million victims in Q3 were, in one way or the other, affected by cloud security misconfiguration, unpatched software flaws, misconfigured firewalls, etc. Certainly, the scope for DevSecOps adoption is tremendous.
And finally, enterprises are realizing that security isn’t a non-functional requirement – especially in the context of DevOps. With its ability to manage compliance, identify granular vulnerabilities, implement regulatory standards, and monitor the threat landscape, it’s no wonder why DevSecOps adoption has increased by 60% in 2021.
However, integrating security into the DevOps lifecycle isn’t that easy to achieve. The organizational structure, resources, governance, policies, and culture must be adjusted to adapt to the DevSecOps approach. Not all enterprises are ready for this kind of transformation (but they should be for long-term sustainability).
As such, the first step towards DevSecOps adoption should be to identify and address the barriers that could inhibit this process.
To that end, below is a list of top DevSecOps adoption challenges, how they can impact your business's long-term sustainability, and how you can overcome these problems.
Competence and culture
Maybe the DevSecOps team isn’t qualified for the tasks at hand; perhaps the management lacks overall awareness in this context or is altogether oblivious to the need for change. Or maybe the siloed work culture prohibits the organization from embracing and implementing security as a functional requirement.
It’s all a vicious circle; the lack of participation in DevSecOps standards increases due to organizational indifference and lack of ability to adopt new methods. Researchers from the University of Adelaide outline that an unpleasant organizational culture could be detrimental to fostering the value of accountability and might escalate “resentful sentiments.” The authors, while reflecting upon intentional ignorance, quote a developer – “nobody wants to take responsibility for security because it adds nothing.”
Well, that sums up the state of affairs. Organizations adopting DevSecOps are plagued by a host of people-centric challenges, and they need a concrete strategy to overcome this. Here’s what it should look like:
- Identify security-enthusiastic developers from within the team to help develop a culture of accountability and responsibility.
- Create a culture of transparency in the team to maintain a healthy feedback loop for communication.
- Get the management on board to create a conducive environment for DevSecOps adoption and help them monitor the DevSecOps performance.
- Empower human resources to maintain an integrated business view while extrapolating security concerns.
- Conduct regular training sessions via on-demand webinars and group discussions to help the teams better understand the business (and vice versa).
Tools and their usage
As far as the use of tools is concerned, the challenges can range from configuration issues to integrability problems to even the difficulty in selecting the right tool for specific DevSecOps endeavors. For starters, the security tools must be integrated with the CI/CD pipeline and the alerting mechanism. In addition, they should also be extensible to ensure maximum utility.
For instance, the tool’s ability to detect vulnerabilities needs to be augmented with the capability to map known issues of the application programming interface (API). An API vulnerability could render an entire system vulnerable and, if not remediated properly, could lead to serious consequences.
Solutions:
- Consolidate the views of different people within the team for making better decisions for tool selection. As cliche as it might sound, “two heads are better than one.”
- Instead of employing multiple tools to solve one problem, implement one standardized tool for the problem under consideration. But for that, you must first document the security needs and narrow down the testing methods being employed. For example, IAST (Interactive Application Security Testing) tools, which facilitate both static and dynamic testing, are a good fit for the case in point.
- Leverage container orchestration platforms to complement tools, for they ensure security and maintain continuity of deployment.
Infrastructure-related concerns
As for the infrastructure-related challenges, things could get difficult when adopting DevSecOps in, say, multi-cloud environments, where the processes and tools used for monitoring, assurance, and security reporting could vary from vendor to vendor. Likewise, integrating with different technologies like IoT and blockchain networks could be a challenge, as the high degree of customizability in each framework can make it hard for people to conform to established standards.
Solutions:
- Apply governance principles to design a uniform infrastructure across clouds. Make sure that the processes, tools, and applications deployed to meet compliance requirements are consistent throughout.
- Test the environments by developing simulated threat scenarios and performing tests to validate detection and response times.
- Ensure the application of strict access policies for each component of the application and the data that resides within it. In addition, establish a uniform data classification system for better protection of sensitive information.
Summing up
As a DevSecOps practitioner, you’re up against a multitude of adoption challenges. From cultural change to technology integration and even infrastructure concerns, you need to do your best to address them.
For instance, you should invest in developing awareness around cultural issues by looking at the patterns and trends in how people interact about “security” within the organization. Likewise, you should also conduct a detailed risk assessment to define your readiness level before starting the DevSecOps movement.
And in the same vein, while adopting DevSecOps, you need to ensure that the tools and processes being employed cover all bases that could mandate a change in your security posture. All in all, a holistic approach is needed to combat the adoption challenges that are bound to surface.