Security is no longer solely the SSG’s responsibility. It is everyone’s responsibility. Building security in starting from product conception decreases remediation time while making the product safer, lowering costs in the long run. Instead of measuring how long it takes for the pipeline to build, quality-test, and deploy software, DevOps organizations must start measuring the baseline with security activities included in the overall pipeline.
RELATED: Building your DevSecOps pipeline: 5 essential activities
Application security is a subset of application quality: Quality metrics must include application security metrics, and quality tests must include security tests. The DevSecOps life cycle makes this easier to enforce. Once developers and operations start owning the security of their software, friction between all these teams decreases.
As in any harmonious relationship, give-and-take is very important to create a DevSecOps life cycle:
The security team must enable developers to secure their software by providing security trainings, nurturing Security Champions within the organization, and automating security tools for testing, ultimately embedding application security into the existing pipelines. Security teams must adopt the development processes and technologies needed to ensure a tight integration. They must respect deployment frequencies and modify their processes and activities accordingly.
Conversely, the development organization must own the security of their applications along with the security team. They must understand that deploying an insecure application to production is no longer an option.
DevOps teams must realize that security is not something slapped onto a product during or after deployment. Rather, it is a combination of different activities that integrate into the SDLC right from the analysis phase. Security must be built into the product.
Ultimately, it is time to retire the DevOps SDLC and adopt a DevSecOps life cycle to make the world of rapid software deployment a safer place.