Bridging the DevSecOps Gap to Embed Security Across the DevOps Landscape

Lila Kee is the General Manager for GlobalSign's North and South American operations, as well as the company's Chief Product Officer. It's no secret that between busy developers, IT, and security personnel, there can sometimes be a real disconnect. According to a software intelligence firm, Dynatrace, "only 50% of CISOs believe that development teams have thoroughly tested the software for vulnerabilities before deploying it into the production environment." In another survey conducted by a cybersecurity advocacy group, ISC2, respondents expressed frustration over frequently misconfigured applications, slow patching of critical systems, and a lack of consistent awareness and visibility of threats active against their IT infrastructures.

The biggest skills gaps mentioned by respondents were in cybersecurity mitigation areas such as cloud computing security, AI/machine learning, zero-trust implementation, and penetration testing. These are areas that fall under the scope of DevSecOps, which emphasizes the integration of security as a shared responsibility throughout the entire development lifecycle. However, between constantly evolving innovation, equally advancing cyber threats, and industry struggles with a shortfall of security skills among developers and IT teams, a critical chasm has emerged-the scarcity of security expertise within the developer community. This puts the security of many organizations at severe risk. With that in mind, a bridge must be made to DevSecOps to limit damaging cybersecurity incursions. However, this requires some work to build it, and there could be some stumbling blocks along the way.

Challenges To A Successful DevSecOps Transition Stumbling blocks to DevSecOps occur since it requires collaboration and coordination among developers, security experts, and compliance and operations teams throughout the software lifecycle. However, finding and retaining talent with the right skills and mindset for DevSecOps remains a daunting challenge. This requires resourceful creativity and support from the top down. Developing this kind of embedded security takes a committed budget and buy-in from everyone involved. It truly takes a village. A collaborative community and security culture must evolve with an ongoing dialogue between developers, IT, security experts, and top brass. The ability and willingness to hear firsthand the frustrations and challenges each group faces can be the gateway to mutually beneficial collaboration.

A significant first step in the DevSecOps transition is promoting this kind of environment and the designation of an advocate from developers, IT, operations, security, and the C-suite who are available to listen, share concerns and mediate. In the journey to overcoming the challenges of attaining successful DevSecOps, organizations can bridge the skills gap and boost overall security infrastructure. Here are some steps that can help.

  1. Establish visibility and thorough assessment of your DevOps landscape.

The first step is to bring visibility to the tools, containers, devices, secrets, credentials, and accounts within DevOps to ensure that they are compliant with the organization's policies and security measures.

DevOps secrets management is an attack vector, and it is crucial to separate or cloak secrets.

  1. Invest in training and upskilling. Develop a security coaching program with ongoing training of DevOps members and a clear chain-of-command response path for developers.

Promote continuous learning opportunities and resources for existing IT and security staff to acquire and update their skills to provide DevOps with security tools, techniques, and best practices.

Encourage and support employees to obtain relevant certifications and credentials to validate their skills and knowledge.

Consider joining online technology forums and chats to share resources, problems, and solutions.

  1. Leverage automation practices. Automation provides scalability and visibility, streamlining and simplifying DevSecOps processes and workflows. It also reduces human errors, improves consistency and quality, and enhances policy enforcement, productivity, and efficiency. For example, automated public key infrastructure (PKI) platforms track and monitor certificates implemented within DevSecOps, enabling certificate validity, compliance, data protection, and alerts if something in the pipeline falls below standards.
  2. Leverage outsourcing and partnering options. When hiring and training internal security personnel is not feasible or cost-effective, outsourcing some or all of your security functions to external providers, such as PKI platform providers or managed security service providers (MSSPs). They can focus on the security side of the effort, freeing up precious developer time, which allows them to focus on their main jobs. Consultants may be a good alternative. Organizations can partner with other entities, such as academia, industry associations, or government agencies, to share best practices, insights, and solutions for DevSecOps challenges.

A siloed DevOps without security built in is no longer an option. The cybersecurity skills gap in DevSecOps can result in serious consequences for the security and performance of software applications, as well as the reputation and competitiveness of organizations.

By adopting these strategies, organizations can build and maintain a strong and diverse cybersecurity workforce that can support their DevSecOps initiatives and enhance their overall security posture. This will lead to more secure, reliable, and high-quality software applications that meet the needs and expectations of users. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Do I qualify?

Read more