ONUG: Challenges to Institutionalizing DevSecOps in the Large Enterprise

Research firm Gartner simply defines DevOps this way: “DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach.” Culture is the key word here. It’s about changing the mindset and completely revamping both the development and operational side of IT. 

DevOps isn’t something you buy. It’s something you do. Similarly, DevSecOps is based on embedding security controls within the DevOps workflow. Is institutionalizing DevOps really worth the effort? Consider just a few key findings from the State of DevOps Report.

High performing DevOps organizations experience:

  • 200 times more frequent deploys
  • 24 times faster recovery times
  • 3 times lower change failure rates 

One key finding from the report noted, “We see continued evidence that software speed, stability and availability contribute to organizational performance. Our highest performers are twice as likely to meet or exceed their organizational performance goals.” Simply put, companies that transition to a DevOps culture experience faster software delivery, simplified management, quicker troubleshooting, as well as happier, more productive teams. Ultimately, this leads to an enterprise that is more stable and better positioned for innovation. 

If it’s so great, why isn’t everyone doing it? A culture shift is a challenge for any organization, but it’s especially challenging within large enterprises. Let’s consider some of those challenges and how they can be overcome. 

The Security Hurdle

Keeping enterprise data safe is the priority for security professionals, with good reason. 63% of companies say their data was potentially compromised within the last 12 months due to a hardware or silicon-level security breach. When it comes to transitioning to a DevOps approach, many security professionals are reluctant, mistakenly thinking that handing over control or automating the process weakens security. 

The reality is that DevSecOps makes enterprises more secure. That fact was outlined in a recent podcast in which participants shared key insights from the 2019 State of the Software Supply Chain report. The most noteworthy finding was that “the faster the software development pipeline, the more secure the end result.” 

However, that doesn’t mean there are no security challenges to implementing DevOps. Tools integration presents a big hurdle. The more tools being used, the more privileges and credentials that need to be managed, and the more the security risk grows. IT teams can ease this burden and tighten security posture by using secrets management and solutions. 

Can DevSecOps really reduce security risks? The State of the Software Supply Chain report found that “DevSecOps automation reduces Operations Support System (OSS) risks. Enterprises automating open source governance as part of a managed software supply chain practice saw the percentage of vulnerable components used in finished applications drop by 55%. 

Successful Integration of DevSecOps and DevOps

Collaboration is the key word when it comes to integrating DevOps and DevSecOps. Security professionals must adhere to the collaborative, agile nature of DevOps. Aligning these two camps is a challenge for large enterprises, but a step that must be taken to ensure security is included in the lifecycle of all the DevOps processes. 

However, that is easier said than done. It’s critical to understand the DevOps process first, then how security fits in. Ask yourself, “Where are the shortcomings with adding security?” Is there a designated champion who understands this integration? Are they authorized to act to bring about a culture shift? 

Here’s an example. When developers are writing code, do they have tools that check for vulnerabilities? If so, those tools should prevent the code from being compiled. Ensuring there is a security element at each stage of the build process creates a much stronger, and more efficient development process. Large enterprises usually have clear governance policies to mitigate risk. From those policies, they develop security policies. While security might seem like a challenge for these large organizations, building DevSecOps into your DevOps culture will actually mitigate risk and boost your security. 

Benefits of DevSecOps to Large Enterprises

Shorter feedback loops, fewer incidents and a bolstered security strategy are just a few of the perks large enterprises are experiencing by developing a strong DevOps culture that has DevSecOps baked right in. Note this success story featured in CSO magazine. “Our average customer takes 174 days to fix a vulnerability found when using dynamic analysis in production. However, our customers that have implemented DevSecOps do it in just 92 days.” 

Being able to quickly fix a vulnerability really demonstrates how agile your team is. CSO added that for companies without DevSecOps who found and fixed vulnerabilities within 10 days, only fixed 15% of their vulnerabilities. Conversely, companies using DevSecOps were able to fix 53% of their vulnerabilities within 10 days.

Challenges Come From Resistance to Change

Large enterprises face many challenges that make DevOps and the integration of DevSecOps difficult. However, they all center around resistance to change. If this culture change barrier can be overcome, companies will start to realize the full potential of DevOps. First, there are talent shortages. The CSO article noted, “The number of security practitioners knowledgeable in DevSecOps is still low.” However, this hurdle can be mitigated by integrating security into the pipeline and giving developers the security tools they need. Revamping the organization structure and providing training to existing staff may solve this problem.

Secondly, large enterprises often function in silos. DevOps is all about breaking down those silos. A “hands-off” mentality to process only complicates the matter. Instead, look at reorganizing so that the enterprise is structured around goals not departments. Consider creating a platform team that offers DevOps-as-a-Service. 

Third, many large enterprises use an Authority-to-Operate (ATO) process when security needs to approve a new application. This time-consuming process often takes months, forcing staff to wait for much-needed tools. Instead, leverage cloud solutions that can serve as the ATO for many authorizations instead of needing separate ATOs for each application.

Learn More

This discussion will be continued at ONUG Fall taking place October 14-15 in New York and Online.. Join experts from large enterprises and ONUG Board members from JP Morgan Chase, Fidelity, Ernest and Young, Cigna and others as they discuss Institutionalizing DevSecOps in the Large Enterprise as well as other critical DevSecOps issues.  ONUG Fall will focus on the IT culture shift, as well as trending business processes and governance issues. Delve deeper into why large enterprises are slow to adopt DevOps and what major shifts in culture must take place to hasten this adoption. Don’t miss these insightful DevSecOps discussions at Fall ONUG. For more information visit onug.net  or you can contact us here. 

Author's Bio

Guest Author