How to build in DevSecOps: Grow culture from the ground up

In today’s digital landscape, every company is a software company. Software is the life link in how companies connect to and engage with customers and partners. That's why it's vital to weave security into every step of the development process, from design, through coding, to release and operation.

Unfortunately, many executives don’t see it that way. A Freeform Dynamics survey, commissioned by CA Technologies, found that an organization’s culture has a profound influence on its ability to integrate security practices from the start.

And since culture is most often dictated by the priorities of top executives, it’s no wonder that less than one quarter of respondents believe that senior management understands the importance of not sacrificing security for time-to-market success.

All too often, pressure from executives to reduce time-to-market means security gets considered only at the end of the lifecycle. If you're to address the growing concerns around insecure applications and devices, security must become part of your software development process right from the beginning. Here's how to achieve that.

Gartner Magic Quadrant for Application Security Testing 2018

Let developers lead

The numbers don’t lie; research shows that an organization’s culture has a major impact on its ability to successfully incorporate security into the development process. The key to success is letting developers lead the way and giving them the room they need to do great work, which includes more security.

Right now, IT leaders credit lack of time (65% of respondents in the survey) and budget (59%) as two of the biggest roadblocks which result from executive top-down priorities. At the same time, 75% agree that their software developers would benefit from more training in secure coding.

Developers take pride in the quality of their work, which includes security. Even when they don’t know everything, they will rise to the challenge presented to them, especially if organizations hand them the tools they need to succeed.

Given the chance to improve their skills and produce better code, they’ll take it. Therefore, the single most effective action an organization can take is to establish a training program that teaches developers what they need to know about software security so that they can take responsibility for the security of the code they produce.

Get executives out of the way

While developers need to be the ones most ingrained in the transition to DevSecOps, top executives need to be comfortable with the change, or the program will never take off.

Fortunately, there is a light at the end of this tunnel. The survey highlights a group that has mastered the key principles of DevSecOps. Dubbed “Software Security Masters,” these agents of change are organizations that have been able to overcome cultural barriers to fully integrate security into the software development lifecycle, and they are seeing major payoffs beyond the security of their code.

Those hoping to drive a new DevSecOps program can use the success of Security Masters to make the business case for an emphasis on security. They are more than twice as likely to see the positive side of enhancing security across the application development lifecycle and make security an enabler of business. Also, Security Masters are more than twice as likely to strongly agree that they have the ability to keep up with increasingly demanding security testing.  

These companies also experience a superior competitive advantage in the field, with improved time-to-market for deployments. This is also intricately tied to how effectively and rapidly the business can exploit new opportunities when they are spotted. Effective security alone is not a guarantee of speed, but outdated testing capabilities will slow things down.

Integrate security into the whole business

Companies that integrate security throughout the business become more efficient across the board. While it’s clear that market pressures and customer expectations have made cyber-risk an executive concern, it's essential that everyone in the business have a stronger understanding of IT security.

With delivery lifecycles shortening, security must be embedded into every step of the software lifecycle: requirements, gathering, design, code creation, deployment, and operation. Special attention should also be paid to continuous testing capabilities at every step. To inject security into the DNA of DevOps teams, you must know where you are starting, and begin with a thorough assessment of your current capabilities, strengths and weaknesses.

Master software security

Although security might take a larger up-front investment, the return can be significant in terms of customer trust, additional sales, and referrals. Organizations that have achieved software security mastery have cracked the code when it comes to figuring a way to influence cultural changes across the whole organization.

Gartner Magic Quadrant for Application Security Testing 2018
Topics: SecurityDevOps