For a variety of reasons, cars are much safer than they were 50 years ago. Cars aren’t divided into ‘safe’ and ‘not safe’ for a reason – they are all developed with safety in mind. And while auto manufacturers might still use safety as a selling point (albeit more rarely), they did the real work of implementing structural design changes, adding reforms like seatbelts and safety glass, and meeting new mandated requirements during that time span. What they didn’t do was rename their factories as Safe Auto Manufacturing Centers without making the necessary changes to improve safety.
Right now, InfoSec is trying to do that by adding Sec to the phrase DevOps. What’s so bad about that? On the surface it seems like a good move. Security is important! See? The problem is calling it DevSecOps is a gimmick that doesn’t solve the real problem. It creates an illusion of separation when what’s required is integration. And changing the name without making reforms isn’t integration, it’s marketing.
Security needs to be a foundational part of any development life cycle, and should be treated more like automobile safety where ‘security’ is included from the design stage up. AppSec needs to make a mindset shift towards integration into DevOps, rather than remaining as a separate entity and process – which is what adding Sec to the title does. Security simply can’t be jammed in – that’s what got us here in the first place.
People assume cars are safe, just like their applications. But they aren’t – not unless security has been considered from the beginning. The truth is AppSec used to be treated like heated seats and sports packages when in reality it needs to be treated like safety glass and seatbelts – a thing you’d be nuts to leave out.
DevOps is about speed and automation. But counterintuitively, including security at each step of the process makes applications more stable, requires less patching, and ultimately leads to faster (and better) application delivery. Primarily, though, it’s the right way to do things. And it protects data and prevents attacks from happening in the first place, which is the whole point.
Every application should now be a safe one. Data demands it. And frankly, so do our adversaries.