It's right there in the moniker: DevSecOps, a portmanteau of Development, Security and Operations, implies introducing security early on – as part of a comprehensive, agile software development life cycle (SDLC) used by your organization, rather than doing so iteratively or waiting until after a release.
Given how security breaches and vulnerabilities have become everyday news, it makes little sense for developers to ignore the seriousness of secure coding anymore. Here's a little secret though: developers are often not the most security-oriented folks for obvious reasons. It is not their primary duty. The priority for a software developer is to build an app, carry out the intended tasks nicely, and perhaps account for the user experience (UX) and satisfaction. If they are diligent, they may incorporate basic "security checks" in their coding processes – such as not blindly trusting user input and sanitizing it. However, a developer may not alone have adequate bandwidth or expertise to incorporate the most superior security checks in an app.
A moment of honesty: despite working in DevSecOps for Sonatype I did not understand upfront what the buzzword meant for some time. I often questioned myself, "Where does the benefit lie for organizations in this? Is this all a marketing fad?"
Over time, I have observed a trend and upward push in the industry to implement some sort of inherent "security" as part of their development workflow, and here are the 5 benefits that immediately come to mind.
Spot Vulnerabilities and Bugs Early On
While a developer may do their due diligence in implementing basic-level security checks, nobody can know in this vast open-source ecosystem with millions of repositories, as stated by GitHub, how many software packages contain a security vulnerability and in which of its versions. Provided the huge volume, it is impossible to be aware of it without some sort of security automation.
The National Vulnerability Database (NVD), a U.S. NIST initiative, which is no longer a comprehensive or accurate list, just crossed their 100,000th vulnerability in 2018, with more vulnerabilities added every day. This does not always include the "security exploits" and issues posted on GitHub or ExploitDB.
An integrated DevSecOps solution or workflow that supports some automation can help developers spot if they are unintentionally using open source libraries with known vulnerabilities, before they even begin coding the rest of the modules of a software project, only to realize they need to start over.
Leverage Open Source With Increased Confidence
Since the open source community traditionally welcomed contributions from "anyone," this also opens a door for malicious actors to abuse. In 2019, multiple reports of malware having been disguised as legitimate open-source packages came to light. While npm's representatives were able to spot and "remove" these components from their servers, the process has not always been a quick one. An unsuspecting developer already using one of the compromised components would have no means of knowing this, unless an automated tool was in place to constantly scan their project and point out any malicious open source components. This is where IDE-integrated solutions can save developers and an entire organization from blunder and embarrassment that may follow after making a release.
Save Costs on Resource Management
As a former software developer, I can authoritatively reflect on how "dependencies" pose a problem during software development and critically shape the rest of the workflow. In layman's terms, if your application requires a certain library A which depends on yet another library B, which further depends on yet another library C, version 2 – which is vulnerable – it would naturally mean you can't use any of those three libraries unless library A and B supported a non-vulnerable version 3 of library C… provided such a version even existed.
You can see how this can get tedious. Imagine having to accept potential security risk for 20 or more components for a mid-to-large scale software project, or exploring alternative open source libraries.
For project managers and developers, having this knowledge upfront and being able to assess the risk early on can mean searching for better alternatives and designing secure software from the start, rather than waiting until after a release, when a vulnerability assessment may in future reveal a critical vulnerability. In practice, this means saving tremendously on man hours and resource management costs.
Make Developers Security-Aware
Your developers are busy and tasked with implementing a certain functionality out of code for your users. Security may not always be their number one priority, due to limitations imposed by meeting deadlines, and even the developer's own lack of security expertise. However, with DevSecOps software solutions, the constant "reminders" about excluding certain components from software builds, along with credible reasoning, make your developers a little more interested in and aware of security every time they see such an alert, for example.
In the long run, this may habitually reinforce the developer's mindset of avoiding an open source component that has a reputation of containing security flaws in multiple versions.
Reduce Risk and Legal Liability
Organizations often state, "we take your security and privacy seriously," but not many live by it. Had they done, the current climate of frequent cybersecurity breaches would be non-existent. Either way, any such damaging news negatively impacts an organization's brand reputation, and may lead to potential lawsuits and fines. Following security practices at every aspect of your software project – even when a simple website – is more likely to reduce such a risk and impact that may arise from having an otherwise complacent attitude towards security.
In conclusion, there is never a way to know whether your application or project is secure from all directions. After all, we can't claim to predict or rule out the unknown risks. But following best practices and automation as outlined by the fancy term DevSecOps can tremendously reduce your risk of using software components with known vulnerabilities, right from the beginning.
Ax is a security researcher, malware analyst and journalist with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime ...
Explore All Posts by Ax SharmaTags
Code 3x Faster with Less False Positives
Build, test, and launch secure applications without rework. Explore how the Sonatype platform can enhance productivity and security.