A common term used to describe DevSecOps is “shifting left” — the idea that quality assurance and security testing needs to happen earlier within the process. The term refers to the “waterfall” style of software development, which is generally portrayed as many elements shifting to the right in visualizations.
And, of course, there are a lot of good reasons for building a program with security near the start of the process. After all, it’s much harder to clean up from an insider threat than to prevent it in the first place.
What Are the Benefits of DevSecOps?
The advantages of DevSecOps are best reflected in what the discipline can help businesses avoid in the software development process.
In a 2015 blog post, Donald Firesmith, a researcher at Carnegie Mellon’s Software Engineering Institute, noted the risks that could emerge when testing security with a traditional waterfall-style development process, in which different elements are handled separately. With this approach, testers are often involved later in the process, which leads to challenges with debugging software that’s closer to completion, and less time to fix defects, making it more likely that end users will find those bugs instead of in-house developers.
“For decades, it has been well known that defects are more difficult and expensive to fix the later they are found in the lifecycle,” Firesmith wrote. “This phenomena is one reason why treating testing as a sequential phase at the end of waterfall development has long been viewed as a major pitfall of system and software testing.”
By building a process in which testing is conducted throughout, security can be hardened into the process. According to Google Cloud Solutions Architect Drew Stevens and Enterprise Modernization Architect Mike Ensor, the biggest benefit of DevSecOps is that it encourages the implementation of secure practices throughout the implementation process:
“Introducing security evaluation and practices earlier in the development cycle improves software quality and system health, and avoids expensive security fixes that can result if vulnerabilities are found later in the cycle. The core benefit of shifting left is to fail fast and remove security and quality defects as soon as they arise.”
DevSecOps vs. DevOps: What’s the Difference?
DevSecOps and DevOps are closely related, with the continuous integration/continuous delivery (CI/CD) pipeline tightly tied to both processes, but they diverge in significant ways with the addition of security.
Stevens and Ensor note that the shift-left approach has equivalents elsewhere in the DevOps cycle, but it carries special significance in a security context: “DevOps methodologies encourage development, quality and operations teams to collaborate on testing code and deployment mechanisms as early in the cycle as possible. DevSecOps applies the same principle of shifting left by incorporating security testing and vulnerability detection into the development lifecycle rather than waiting to audit after development and testing have concluded.”
There are other benefits to this additional velocity from a security standpoint. As noted in the IBM Cloud Learn Hub, the rapid pace at which security vulnerabilities are often exposed means that the additional speed of a DevSecOps approach comes in handy in terms of patching and testing for these issues: “As DevSecOps integrates vulnerability scanning and patching into the release cycle, the ability to identify and patch common vulnerabilities and exposures (CVE) is diminished. This limits the window a threat actor has to take advantage of vulnerabilities in public-facing production systems.”