DevSecOps Adoption and the Web Security Myth
As DevOps practices have become widespread in the tech community, many people have begun proclaiming the virtues of DevSecOps. As the name implies, DevSecOps is the addition of security into DevOps. Just as DevOps promises better-quality production in less time, DevSecOps promises better security with less time required to achieve and maintain it.
DevSecOps has many benefits. However, many executives are under the impression they can’t embrace DevSecOps across their entire organization.
This idea is false. Most organizations that have already adopted DevOps can, and should, take the next logical step and adopt DevSecOps as well.
‘It Sounds Great, But We Can’t Use It Here’
Adopting DevOps requires far-reaching changes throughout an organization. Going to DevSecOps can be similarly disruptive. However, internal disruption is not usually the (perceived) problem with DevSecOps.
Instead, the problem is usually the network border. Many executives believe that their current web security solutions are incompatible with DevSecOps.
In many cases, this is actually true. Older approaches to web security are indeed hindrances to DevSecOps practices.
Therefore, the problem isn’t actually with DevSecOps. The problem comes from the security solutions currently in use.
Legacy Security Solutions and DevSecOps
Many organizations are still using appliances (whether physical or virtual) as their primary protection against external threats. A decade ago, appliances were good enough. Today, they’re a competitive disadvantage.
There are several ways in which appliances are incompatible with DevSecOps:
Programmatic control of an appliance is often difficult if it’s even supported at all.
Configuring an appliance can be challenging. It often requires a high level of security expertise.
Rolling out settings and configuration changes across a bank of appliances can be time-consuming and potentially error-prone.
The cost and specialized nature of most appliances make them inconsistent with the DevOps mantra of “cattle, not pets.”
Physical appliances do not scale.
External-facing applications will be limited in their scaling as well.
Appliances are not designed for ephemeral workflows.
Appliances are not designed to support infrastructure as code (IaC).
Security appliances represent a decades-old approach to security, so it’s not surprising they don’t support modern practices. What is surprising is that even many allegedly “cloud-native” solutions aren’t built for DevSecOps, either.
For example, some require multiple instances to be launched into your environments. Some require additional layers of management just to maintain consistent configuration among them. Many do not provide good support for evolving architectures and expanding deployments. In general, these security products tend to require significant intervention and management, while lacking automated control capability. This all severely limits the use of DevSecOps.
These appliances and incorrectly labeled “cloud-native” solutions are why many executives believe DevSecOps isn’t an option for their organizations. To be clear, these executives are correct—for as long as they continue to use previous-generation approaches to web security.
Not Just a DevSecOps Issue
Older approaches to web security have other problems that go beyond a hindrance to DevSecOps usage.
For example, appliances are marketed as complete web security solutions, but they cannot actually fulfill this role. Among other things, an appliance cannot defend against a volumetric DDoS. The attack can overwhelm the upstream ISP before the appliance even has a chance to scrub the traffic. This can result in the ISP blackholing all incoming traffic, which makes the targeted site and web applications unavailable to users and customers—which is the exact situation the appliance was supposed to prevent.
Solving the Problem
Organizations which are still using older security technologies should re-evaluate this decision. Modern solutions such as cloud web security platforms can provide better protection, along with numerous other benefits. These include full management by the provider, real-time reporting and traffic control, adaptive threat identification based on machine learning and much more.
When organizations continue to use legacy security solutions, they not only prevent themselves from enjoying the benefits of DevSecOps, they are also missing out on many other benefits as well.