You are here

Why injecting security into DevOps is a no-brainer

public://pictures/sridhar.jpeg
Sridhar Jayaraman, VP of Engineering, Qentelli

Despite a significant uptick in awareness of DevOps security issues, many companies aren't on top of the software development security challenges they face, and must rely on outside teams to handle their software security program. 

Surveys show that there is significant resistance to company-wide DevSecOps implementations, and that many managers view incorporating security standards into DevOps processes as a roadblock to agile software delivery.

Why the negative attitude toward DevSecOps rollouts with so many software managers? For starters, many DevOps professionals don’t want to sacrifice speedy application development and deployment for a secure environment, complete with the frequent testing and tracking that comes with DevSecOps.

Another factor is that many software managers don't understand how to properly implement a security program into their DevOps programs. That’s why many organizations are continuing to struggle with implementing security standards in their DevOps platforms.

For software development managers who want to get off the fence and improve their security effectiveness, the best incentive may be to check out what happens when you don't deploy a DevSecOps security program. Here's a closer look.

[ Continuous delivery and release automation (CDRA) demands speed and quality. Find out how in TechBeacon's guide to CDRA. Plus: Get the Forrester Wave on CDRA.  ]

Reputational damage gets real

Fewer customers want to do business with a company that doesn't take data security seriously, and even fewer employees want to work for that company.

Case in point: In 2015, UK-based TalkTalk suffered a data breach that compromised the personal data of 157,000 customers, and exposed the bank records of 20,000 of them. 

When the UK’s Information Commissioner Office cited the company for "multiple failings" in its security processes, the broadband provider lost 100,000 customers—and a big chunk of its information technology team, many of whom were too embarrassed to work at the company any longer.

Brand distancing often happens in the aftermath of a major data hack, and not implementing stronger security measures is a major reason why reputational damage is so severe. Bugs linger, and product rollouts get delayed.

One of the most significant benefits from having a solid DevSecOps program is that your software security teams, usually through repeated testing, can identify system vulnerabilities early and fix them in time. That means little or no delay in software rollouts and software projects that come in clean.

Security and speed: You can have both

If you don't spot system vulnerabilities early in the DevOps process, all that time spent on agile software coding and development can go for naught. Not only are deadlines threatened, but new or revamped company products and services—the bread and butter of any business—are delayed.

This costs the company staffing time (to fix the vulnerabilities while plugging the pipeline) and money (in the form of delayed orders and delayed payments from vendors, partners, and customers).

Your software developers already have plenty to do when creating and installing functionality for your products, yet one of the strongest tenets of DevSecOps is the increased data security knowledge that those software developers gain as key members of a data software security team.

With DevSecOps, software developers are on the front lines of data security, fully trained on the security side of software builds and capable of spotting coding errors as they happen. 

In the end, you’ve got not only a seasoned software developer who knows how to generate code and push deadlines through to the end, but also a curious and plugged-in data software system specialist who can help save you time and money down the road, as your DevOps program expands and the stakes grow higher for your company.

You run the risk of financial and legal liability. No savvy company decision makers should ignore DevSecOps, considering the huge costs associated with breaches. Instead, they should think about investing in cost-saving DevSecOps training, testing, and implementation.

[ Learn the secrets of successful DevOps initiatives in TechBeacon’s Guide. Plus: Get the Optimizing DevOps Initiatives: Both Sides of the DevOps Divide report ]

Ignore DevSecOps at your own risk

The downsides associated with avoiding software security practices can be measured far beyond the most pervasive issues I've cited above—brand damage and legal and compliance costs among them.

Rather than simply accepting these risks, get proactive and go full throttle with a software security plan that takes all of the above issues off the table—for good.

[ Get up to speed on quality-driven development with TechBeacon's new guide. Plus: Download the World Quality Report 2019-20 for lessons from leading organizations. ]