3 predictions for devsecops in 2018

The year 2018 will bring the start of some real change for devsecops in the enterprise

Tech predictions: Love them or hate them, they are a time-honored tradition, one that provides the opportunity to reflect on the year passed and prepare for the year ahead. 2017 was a good year for devsecops—this year it evolved from a semi-obscure concept to a viable enterprise function. 

That evolution was fueled in great part by the rapid expansion of the container and container markets, which are inherently intertwined with devops and devsecops. Generally speaking, rapid growth and innovation tend to make predictions more of an art than a science, but I’m still willing to give it a shot.

With more than 12 billion image pulls from the Docker Hub and a maturing container ecosystem, we are barely seeing the tip of the iceberg as far as devsecops in the enterprise is concerned. However, I believe that in 2018 that’s what we’ll be seeing: the start of foundational change. Here’s what I think it will look like:

1. Corporate leaders and IT stakeholders realize devsecops is improving devops, not hindering it

Devops is the coming together the development and operations teams, so it should come as no surprise that it promotes a collaborative culture. In an era where megabreaches are the norm, adding security into the mix might sound like a no-brainer, but for years, security has been an afterthought, which resulted in a corporate culture that placed security teams at odds with other IT groups, including the development team.

But things changed.

In a business landscape where Yahoo lost $350 million in value once its weak security posture was exposed, the days of corporate leaders viewing cybersecurity as an operational sinkhole are over. Strengthening cybersecurity is now a business imperative. And it’s about time. But it will take time for that shift to settle back into culture of IT.

While the rise of devops and devsecops has undoubtedly created a rare and exciting opportunity to reinvent application security, devops can cause change to occur at warp speed, which can be disorienting. On a daily basis, we are seeing devops teams and application architects recognizing the importance of security and welcoming the input of security teams, but there are still gaps between them that need to be bridged.

For devsecops to be implemented correctly, security teams need to fall into lockstep with devops teams, and corporate leaders need to create the space and budget for that to happen. By 2019, I hope that corporate leaders, sensing the opportunity to promote a major, legitimate security win, will rally behind devsecops as the poster child for security done right.

2. Successful organizational models for devsecops will emerge, most likely: close collaboration between security and devops teams

While this prediction may not seem particularly revelatory, it is relevant. Understanding that devsecops will require equal collaboration from both security and devops teams will fast-track a standard blueprint or implementation model for integrating (and ultimately, automating) devsecops into CI/CD processes.

While different organizations have different needs, most companies—regardless of size or industry, use the same technology tools for devops, especially if they are using containers. This allows for uniform standardization. Plus, the open source roots of containers lends itself to the kind of information sharing and standards development that benefits all involved.

So far, because devops teams own the dev pipeline, they have been taking the lead on security. However, it’s my opinion that, devsecops needs to be led by security teams because they are the ones who are accountable for the organization’s security and risk posture and get fired or forced out when a security incident occurs (Uber breach, anyone?).

In 2018, security teams need to step up and show devops teams the value and skills they bring to the table. The notion of baking security into the fabric of IT instead of bolting it on after the fact has been cyber security nirvana for as long as I can remember. Now we have a window of opportunity to make that happen.

3. Security teams still will be slow to adapt to the devops reality

The devops folks I talk to understand that security matters. In the past, corporate security teams often operated within a culture that did not value or understand the need for security. No wonder today’s cyberbusiness landscape is one in which most companies are (relatively) easily breached. 

But culture changes. These days, it’s well understood that strong security consists of more than a perimeter firewall. As relieved as many security professionals may be to see this shift finally occur, they may not be as flexible as devops teams might expect. And when it comes to containers (and appsec in general), even the most talented and high performing security pros will face a learning curve. Not to mention that the cybersecurity skills shortage has been well-documented

While these factors will likely slow down security’s embrace of devops and devsecops in the short term, I see devsecops as part of the solution to the skills shortage, and I’m not alone. Integrating and automating security into the application delivery process is way more efficient and cost-effective than backtracking to fix security flaws that could have easily been avoided if they were addressed before the applications were deployed. Security professionals have a lot to gain by remaining open to change and to applying their talents in new ways. 

I’m hopeful this story will have a happy ending. Onwards to 2018—happy holidays!

Copyright © 2017 IDG Communications, Inc.

How to choose a low-code development platform