Let’s start with the bottom line. If you’re a developer, it’s time to embrace security, not for the higher-ups or the tenacious CISO—but for yourself. Because at the heart of any successful DevOps initiative is you, the developer who drives the software agenda and deploys the code. This means not just nodding enthusiastically during security meetings but actually placing yourself, and the meaningful work you do, at the center of an application security (AppSec) strategy.
Everything is moving fast these days, and the expectations for DevOps is no different. An agile framework underpins successful digital transformation and strong innovation. But without security in the mix, DevOps merely introduces vulnerabilities into the software faster. And this isn’t good for anyone—not the end-user and not the person in charge of building the software.
So rather than lament the “soul-crushing” efforts of addressing security in a build, why not just refocus and proactively take a leading role when it comes to AppSec? Here are three simple reasons why you most definitely should:
ONE: It’s in your best interest. Friction among teams doesn’t have to be the norm. When gaps exist in the feedback loops, and AppSec and DevOps teams are not effectively integrated, problems emerge with code development, delivery schedules come to a screeching halt, and vulnerabilities increase overall business risk. Building a security culture with a more collaborative and federated approach opens up communication and learning among teams. But most of all, it reduces the amount of stress and problems within the workflows of all teams.
TWO: That whole scanning tool problem will go away. It’s no secret, integrating and orchestrating AppSec tools within DevOps pipelines is complicated and eats up time. Everyone keeps saying, “shift left” to incorporate testing sooner in the software development life cycle (SDLC), but every AppSec tool has to be integrated and automated within these DevOps pipelines, and with the right tools running at the right stage. Considering most developers aren’t security experts, how are you supposed to integrate tools within these workflows, not to mention run, manage and maintain them?
THREE: You can still innovate quickly. At the end of the day, software development is a creative field, where trying new things and thinking outside the box is the name of the game. The idea that developers can innovate like mad but somehow can’t handle the details of security seems crazy. Many see excellent software development as an art, a craft, made by professionals who can handle a whirlwind of new ideas and technologies. So, when developers find creative ways to work around security, rather than in partnership with it, they inadvertently create newer and bigger problems for themselves. And nothing slows down the creative process more than a bunch of security problems.
Remember, everything is connected. And since development sits at the heart of excellent software, DevOps is also uniquely situated to provide some of the best security solutions. You just need to take a leading role!