DevSecOps success leads to better ROI and happier customers

Modern organisations need to be agile and able to modify and develop software quickly and securely. But often the software development lifecycle, or SDLC, treats security as a problem because of older platforms and a lack of developer focus. The modern practice of DevSecOps integrates security into every step of the SDLC.

Sekuro and Wiz partner to support development teams to adopt technical practices and change culture to foster the creation of more secure software development lifecycles. A big part of the problem comes from the way information is handled during the development process. Siloed processes make it difficult for teams to collaborate and share information.

Matt Preswick, the Principal Solutions Engineer for the Asia Pacific and Japan region at Wiz says many of the technical challenges can be put down to a lack of visibility.

“Organisations often use different tools across different stages of their SDLC. They may use code review tools and something else looks at the runtime. But these tools don’t talk to each other. This lack of context leads to a non-prioritised stream of alerts that are challenging to address, attribute to who owns it and remediate in a timely manner.”

The result is that a problem with a piece of code might be identified but the party responsible for remediation may not find out about the problem in a timely way. This can result in costly rework or errant code being released.

These technical issues can be compounded by cultural challenges. Kyle Jackson, Sekuro’s Cyber Security Strategy and Architecture Consultant, says the focus on speed of delivery can result in security being an afterthought.

Businesses must adapt to change faster than ever before. Increased digitisation of processes, under the banner of digital transformation, has meant risks have changed. Organisations are more dependent on software than ever before and software is developed, tested and released faster than ever before.

As a result, security is sometimes an afterthought resulting in security being bolted at the end of the development process rather than as a foundation. Communication between development, security and operations teams needs to be enhanced to enable better communication and understanding between these functions.

“The lack of understanding between developer, security and operations teams means developers may not understand certain security concepts, and security teams may not understand the full breadth of development tools that are available and how they interact with operations. You need tooling that is open and able to work with tools used for security, so it’s matched to the organisation’s security stack,” Preswick says.

He adds that ease of use is critical. If the tool is not easy to use, you won’t achieve the best possible ROI from those different communities and teams. Tools need to be flexible to adapt the organisation’s changing priorities. And interoperability is extremely important so information can be easily shared through the entire SDLC so teams can collaborate easily at every step of the process.

But, as Jackson adds, leadership is critical.

“Leadership commitment is a major focus point. We need to secure development across an organisation and ensure cultural changes that stem from that are successful organisational wide. Creating shared objectives across development and security teams can help break down those silos. And don’t forget security training. Investment in security training for developers will help them better understand what’s required from a security point of view to reduce business risk and not kick the security can down the road to security and operations teams.”

The days of siloed technology teams are behind us. By ensuring development teams have a strong understanding of security and linking the outcomes of secure software development to business outcomes, organisations can reap the benefits of better, safer software that enables them to maximise, accelerate their ROI and achieve faster time to market from a software perspective. Late stage security fixes are avoided and enhanced customer trust is achieved.