Even though many companies are integrating their application development and IT operations teams, DevOps integration with security operations is still a challenge.
Companies use DevSecOps (development, security, and operations) for several purposes, including enabling digital transformation initiatives, delivering value quicker, gaining a competitive edge, and lowering the cost of security repair. Despite the haste with which they implement DevSecOps, businesses occasionally fail, and the causes for these failures are preventable.
According to a GitLab poll of about 4,300 respondents on DevSecOps in 2021, the COVID-19 pandemic prompted teams to explore cutting-edge DevOps technologies, including Kubernetes and Artificial Intelligence (AI).
Let’s look at some of the most prevalent DevSecOps challenges CISOs are likely to face and some strategies for dealing with them.
Scarcity of skills
According to research, developers lack the necessary formal security expertise to implement various DevSecOps methods. The DevSecOps implementation will suffer if developers don’t have such expertise. Formal in-house training can improve awareness and provide opportunities for more experienced employees to mentor others. However, corporate leaders should spend on self-paced online courses and expert external training firms instead of relying on their knowledge to bring everyone up to speed.
Ignoring cross-functional training
The friction between development and security teams is typically unspoken but generally understood. Cross-functional education must be undertaken as part of a bigger urge to break down silos and ease stress based on the desire for learning.
According to The Linux Foundation and Harvard’s Laboratory for Innovation Science’s 2020 FOSS Contributor Survey, the average Free and Open-Source Software (FOSS) developer spends just 2.3% of their time on code security. Developers are in a perfect position to reduce security vulnerabilities before production when businesses aim to “shift security left,” and they must grasp the organizational benefit of safe code and be encouraged to pursue it.
On the other hand, individuals increasingly find themselves in circumstances where everything is code. Code is everywhere, from application code to Infrastructure-as-Code (IaC)/compliance-as-code, Kubernetes manifests, and YAML templates for Continuous Integration/Continuous Delivery (CI/CD) pipelines. Security specialists do not need to be outstanding developers, but they should have a strong understanding of coding techniques and be able to scan templates for prevalent misconfigurations and vulnerabilities. This would also help the two parties collaborate and find common ground.
Overwhelmed by technology
While the usage of tools is explicitly promoted in DevSecOps, issues occur when security and other teams have different toolsets. Developers will struggle to choose from or even utilize the increasingly sophisticated technologies due to a lack of standards, documentation, and training. Not to mention how difficult and time-consuming it may be to integrate the technologies they do pick into the DevOps pipeline.
Business leaders can encourage their employees to create tool standards and usage rules to make tool selection and use more manageable and better usage records. This would aid in resolving configuration management issues and laying out the suggested security settings for tools so that they are all on the same wavelength, ensuring faster integration.
Dearth of automation
Analytical tools support many DevSecOps security procedures and scans. These tools are unlikely to generate many actionable findings if they are not there or must be set up and performed manually for the first time shortly before an application goes live. Furthermore, the overall output from these tools is frequently overwhelming, and it may never reach the proper person who can take action.