Deloitte’s John Mennel and Brett McCoy explore the growing push for green IT
By Evelyn Hoover
By Dava Stewart
Image created with Adobe Firefly
In a world where the increasing use of digital tools and cybersecurity threats continue to grow exponentially, development, security and operations must all be elements of one process—DevSecOps. Rather than being tacked on at the end, effective security is baked into the product from the beginning. This represents a change in more than processes, though. It requires a change in how teams operate and, in most cases, a change in company culture.
In an organization with established silos, changing the way teams work and interact with each other can be a challenge, according to Radcliffe. Each team has an idea of what their responsibilities are, and where they stop. Large organizations such as governments have the most brick walls between departments and teams, and Radcliffe observes that it’s easy for developers to say, “That’s not my job,” and simply throw a problem over the wall for a different team to deal with.
Changing those attitudes is sometimes more difficult than any other part of instituting the principles of DevSecOps. “We have to break the concept that it’s somebody else’s responsibility,” says Radcliffe. “You need to have the culture of ownership of this function end-to-end.” Teams need to feel they have the responsibility of building, running, maintaining and securing the end product.
Radcliffe notes that when developers have more responsibility for running systems, they tend to provide better logging and error checking. “You actually end up with better developers because they care more about the product. There’s no throwing it over the wall.” When developers are responsible for security, they make sure the right firewalls are in place, ports are closed and overall functionality improves.
0
50% of organizations had already implemented DevSecOps
0
30% are in the process of implementing DevSecOps
0
10% reported it’s in the plans
1% do not plan to implement DevSecOps
In most organizations the security team is smaller than others, so it’s not possible to assign one security expert to each team of developers. Instead, making security a part of the overall development process means training developers to include security. “The reality is you can’t train people fast enough,” says Radcliffe, so the solution is a focus on common pipeline platform capabilities from an automation standpoint.
For example, a company could create a secure build process that everyone uses. They have their own particular build scripts, but there’s a secure build process so that everyone doesn’t have to build it from scratch. Similarly, a centralized mechanism for purchasing licenses prevents everyone from needing to spend the time and resources evaluating tools and buying licenses.
“Having a developer platform, a pipeline provided to all the teams so that they can focus on the security of their app and not all the other process pieces is critical,” says Radcliffe.
Using the principles and processes of DevSecOps doesn’t mean organizations no longer need dedicated security professionals, either. “The true security experts should be focused on things that are less normal,” says Radcliffe. “Like malicious testing, or the boundary of the organization.” Reviewing every app, checking all the boxes and all the other routine steps involved in making sure a product is secure belongs to the developers.
Regardless of the industry, the size of the company or other factors, moving from a siloed approach to development, security, Q&A testing and so on, to an integrated approach where developers have more responsibility for the end product results in improved efficiency and efficacy, and more security. Beginning with the principle, “It’s got to be secure,” means problems are eliminated before they exist, so it’s unnecessary to go back and fix them later.
Thinking of DevSecOps like preventive healthcare may be useful. Junk food seems cheaper at a glance, and not paying for a gym membership or sports equipment costs less than paying for them. Yet, the cascade of potential health issues resulting from poor nutrition and lack of physical exercise is costly and often leads to a poorer overall quality of life.
The future of so many elements of IT is inextricably linked to AI, and DevSecOps is no different. Three considerations when it comes to DevSecOps and AI include ethical use of a new technology, automation and security.
“People need to bring AI into their pipelines and into their secure development processes to make sure they’re as secure as everything else,” says Radcliffe. At the same time, she adds, “They have to be very careful about what they are looking at.”
Regardless of the model, whether it’s Copilot, watsonx Code Assistant, ChatGPT or something else, organizations need to pay attention to how the models are trained and, equally importantly, what the AI tools produce. “We’re in this interesting transition and we have to be very careful that we don’t just trust, we have to verify and put extra checks in place,” advises Radcliffe.
Automation of processes is one of the keys to breaking silos and increasing collaboration. AI enables automation, and Radcliffe expects increasing capabilities. One example is in the reuse of code. If an organization has a piece of code that they created, that works well, reusing it makes sense. “Right now, developers cut and paste anyway,” she says. If teams could, instead, provide AI with the best instance and let it look through the code base to find what they company has already built, teams will build less code, but more capability and more real business value.
“The other thing is AI is going to make security even harder,” says Radcliffe. It’s going to make fakes more often, and problems are going to be harder to identify. In a never-ending circle, developers are going to need AI to counter AI. Ultimately, AI will “help developers and processes become better, to counter the fact that bad actors are going to use them to do the bad side of everything,” she adds.
No matter what it’s called, the transformation of breaking down silos, using automation, improving efficiency and eliminating redundancy so that the same tasks are done repeatedly, offers enormous value. Moving forward into a collaboration environment and driving ownership are keys to the future. “We can’t go backwards,” says Radcliffe. “The improvement is what matters.