The rise of microservices has increased the engineering intricacies of products while new privacy regulations continue to emerge. To manage the complexity, teams are investing in automation for security checks and audits.
Encora’s Technology Trends presents the top 10 trends for 2022 from a software engineering perspective—tools and frameworks that will play a fundamental role in helping organizations become more secure, nimble, and efficient—capable of responding to dramatic disruption.
We spoke with the DevOps Innovation Leader at Encora Brazil, Isac Souza about one such trend, the growth of DevSecOps.
What is DevSecOps?
DevSecOps is an extension of DevOps. It integrates security into DevOps by including it in an organization’s software development culture, pipelines, and processes. In DevSecOps, security checks run alongside the application or product’s other checks, ideally automatically.
Why is the implementation of DevSecOps on the rise?
DevSecOps is gaining attention because it is helping companies create more agile and high-quality software delivery. Traditionally, security was not part of the software development lifecycle. Security checks happened after the product was ready. But, in today’s market, running security tests at the end of the development lifecycle is too late. If changes need to be made, it’s going to delay the release of the product which is going to be costly.
Applying security checks from the beginning of the development pipeline helps developers detect defects earlier. Early detection means issues are easier, faster, and more cost-effective to repair. So, you’re producing more secure software that is released to the end-users in less time, using fewer resources.
Does DevSecOps make sense for any organization already using DevOps?
Yes, the only exception I can think of would be for companies in which their product or software development lifecycle cannot be improved by DevOps. But if the company is already using DevOps to develop their software, including security checks and validation in their DevOps process is undoubtedly beneficial.
Thinking about security from the beginning of development instead of leaving it until the end helps everyone.
How does DevSecOps help with scalability?
When you’re performing security checks, validations, or audits, either manually or supervised by someone, you create a bottleneck. When you automate these processes and bring them to the build pipeline, you free up your specialists’ time and they are able to work on something else. For example, they can address other security issues or work on the security validations that haven’t been automated yet—and maybe they can automate them!
By introducing DevSecOps, and automating security checks in the pipeline, you increase the scalability of your development team and your security checks. It helps scale the number of changes you can release to end-users in the build pipeline.
Does DevSecOps support regulatory compliance efforts?
DevSecOps can be used to automate regulatory compliance. You can run the tools that validate whether your product is compliant with regulations during the normal validation of your product. So, let’s say a developer makes a change to the product and commits it to your repository, if your tool that checks regulatory compliance runs at the same time as other product validations, your developers will know that if the build passes, the software is compliant.
You have a constant feedback loop telling developers if the software is compliant or not. If it is not compliant, they can fix it immediately. They don’t have to wait for the software to be handed off to another team for this validation, who then has to come back to the development team to fix the issues.
Where do organizations currently stand on this trend?
It’s a mix.
For organizations who are hesitant to make the transition, they are hesitant because of the time it takes to validate the software, the time it takes for the build and validation pipelines to run, and the time it takes to develop automation. If security checks take a long time to run this will increase the time for the feedback loop in the build pipeline and that can cause resistance in teams.
Some organizations simply do not have the resources to invest in automation. It's not always easy to automate the security validation process nor is it easy to know what to test. Figuring out the proper tools and automation to put in place takes time and resources, human resources, and sometimes you have to buy tools or contract a third party to help.
When an organization is careful, however, and ensures that the introduction of DevSecOps will not slow down the development lifecycle, everyone tends to be very willing to use it. It gives the product team peace of mind that the product is secure, it helps the team detect security issues earlier and fix them while the product is still under construction, and it helps the company as a whole because security vulnerabilities are a big liability. No company wants their software to be released without being sure they have a high standard for security.
The organizations that see the value are very excited to adopt DevSecOps practices. They understand that integrating security from the very beginning and automating security checks and validations will make development more agile and cost-effective in the long run.
How do you see DevSecOps developing in the next few years?
There is a lot of work being done to make the transition to DevSecOps easier for organizations. I think the big improvements for the next year will be on the tooling side. The tools are going to mature and become commonplace so, you won’t have to do much research to identify the right tool for your team.
A lot more players are entering the market, more open-source alternatives are being developed and improved, and the scope of these tools is also increasing so that they will cover a wider range of security validations.
Instead of doing simple vulnerability checks on libraries, the tools will start doing static analyses of code for security problems. They will do dynamic analyses of your product while running to check for security problems and also do automated penetration tests. This will all be integrated into the software development lifecycle and automated. Every time your product is built and tested; these security checks will also run.
How will Microservices influence the future of DevSecOps?
The rise of Microservices and distributed systems has significantly increased the engineering complexity of products. There are more components to build, test, deploy and monitor. To manage this complexity, teams must invest in automation. This is also true for security checks and audits. DevSecOps allows teams to scale the security validations by automating and including them into the development pipeline, enabling a secure environment for microservices development.
How will API Security impact DevSecOps?
It is very common for a digital product to provide its services through an API so that it can be used programmatically. It is also very common to expose internal services, in a Service-Oriented Architecture, using APIs. These APIs need to be secure and the teams developing them need a way to make sure they stay secure throughout the development process. Just like with microservices, DevSecOps help teams automate and implement security validations right into the development pipeline, enabling fast and consistent security checks for APIs while maintaining an agile development pace.
What will progress in change management mean for DevSecOps?
One of the main roadblocks to Continuous Delivery is the manual steps required in the change management process. The process can require the creation of a change management ticket, a method of procedure, and even approval from a change management board in a weekly meeting. This process is starting to change with change management tools providing APIs for automating the change management process and practices like DevSecOps, which provide a lot more confidence that the version being delivered was properly tested, validated, and no security holes were found.
Why did Encora select DevSecOps as a top trend for 2022?
Security is crucial for every organization and it's becoming more and more important. There are more privacy regulations than ever and the consequences of a security breach are larger than ever. Companies can go bankrupt or go out of business if they’ve been breached. The stakes are high.
Organizations are looking for processes and tools that make their software more secure, and DevSecOps is one of the practices that can help with that.
How can Encora help clients through the transition?
Encora has extensive knowledge because we work in multiple domains with many different products, scenarios, and company sizes. We use our aggregate experience to understand the client’s specific situation and create a plan to implement DevSecOps that aligns with the organization’s culture, its tools, and its existing processes.
In other words, Encora has collective knowledge that helps us quickly create and implement a strategy that is a good fit for the company.
A special thanks to DevOps Innovation Leader at Encora Brazil, Isac Souza, for speaking to us about the rising DevSecOps trend.
To read more interviews, visit Encora’s 2022 Technology Trends.
"Applying security checks from the beginning of the development pipeline helps developers detect defects earlier. Early detection means issues are easier, faster, and more cost-effective to repair. So, you’re producing more secure software that is released to the end-users in less time, using fewer resources." -Isac Souza
Encora is a digital engineering services company specializing in next-generation software and digital product development. Fast-Growing Tech organizations trust Encora to lead the full Product Development Lifecycle because of our expertise in translating our clients’ strategic innovation roadmap into differentiated capabilities and accelerated bottom-line impacts.
Please let us know if you would ever like to have a conversation with a client partner and/or one of our Innovation Leaders about accelerating next-generation product engineering within your organization.