Nov 14 2023

Modern Platform Engineering: How DevSecOps Enables More Secure Software Development

A DevSecOps approach lets software developers build security into code from the start.

Security is a key consideration when it comes to platform engineering, which is the next step in the evolution of DevOps.

Platform engineering is a discipline for designing, building and maintaining software development tools. It removes friction from the developer experience, says Jim Mercer, research vice president for DevOps and DevSecOps at IDC. A survey by Puppet found that 42 percent of organizations using platform engineering saw “a great deal” of improvement in development speed.

Establishing a security framework and a baseline security posture can help limit development friction, Mercer says. These tools can include monitoring applications and application programming interfaces to fix security threats without hindering software development.

“The platform engineering team should implicitly implement security and compliance in all the services and infrastructure it creates,” Mercer says.

Automation is key to implementing security to protect a DevOps workflow from slowing down. It lets users include security checks within a software development lifecycle, Mercer says.

Click the banner below to improve your workflows with platform engineering.

How DevSecOps Integrates Security Into DevOps Processes

An offshoot of DevOps, DevSecOps is a methodology that integrates security into software development processes.

“Like platform engineering, DevSecOps is a structure used by developers that came out of the need to organize and better plan all the steps involved in building code for applications,” says Todd R. Weiss, an analyst at the Futurum Group, a research firm.

Previously, developers would add security after building code. The DevSecOps movement came about to pull together development, security and operations to achieve more cohesive integration and quality of code, Weiss says: “DevSecOps allows all these important steps to help ensure better code throughout the development lifecycle, which is incredibly valuable.”

It’s crucial to incorporate security governance into developer workflows. A DevSecOps process could help catch alerts that often get missed. Failure to notice alerts leads to breaches of service-level agreements, according to Neil Wylie, chief architect for platform engineering at CDW.

Another part of DevSecOps involves automating security gates to prevent interruptions in a software pipeline. Organizations can also automate the evaluation of security results after code has been scanned for common vulnerabilities and exposures and common weakness enumerations. “These gates are akin to how you might handle software quality when testing passes or fails with quality gates,” Mercer says.

DVS Sidebar


How to Remediate Security Issues Using Platform Engineering

A solid approach to software development ensures that products are more secure from the start by incorporating security into the code-building process, Weiss says.

“To build the best code, developers must adopt and integrate the best organizational tools, from platform engineering to DevSecOps, DevOps and agile development processes,” Weiss says. “That will help them create the best and safest code for their critical business tasks.”

As part of a platform engineering approach, organizations can turn to partners for help with governance and a DevSecOps strategy. Building governance into a development process lets organizations protect the health of a site, Wylie explains.

Todd R. Weiss
To build the best code, developers must adopt and integrate the best organizational tools, from platform engineering to DevSecOps, DevOps and agile development processes.”

Todd R. Weiss Analyst, Futurum Group

“At the end of a provisioning cycle, you can add monitoring to make sure you’re tracking whether a site is responsive and that transactions are completing,” he says.

Using artificial intelligence and machine learning allows organizations to bake security into development and operations. In fact, a 2023 GitLab study found that 62 percent of developers plan to use AI and ML to check code as a component of DevSecOps, an increase from 51 percent in 2022.

DevSecOps can go beyond the cultural aspects of DevOps to integrate security teams into the software development life cycle (SDLC) using automation. This integration can reduce silos among teams and address security needs in software development.

“Much like DevOps, there is an important cultural aspect to DevSecOps that involves further breaking down silos so that development, operations and security work together toward a common goal of releasing software faster and more reliably with improved security,” Mercer says.

LJ Davids

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT