Security in software development

At a time when companies are striving to shorten development cycles, link work processes and meet increased customer demands, the importance of DevOps is growing. As more and more companies work with DevOps, the security aspect is also becoming more important at the same time. DevSecOps has long since evolved as an integral part of software development. Why has DevSecOps established itself as a standard so quickly? The increasingly strict data protection laws definitely have something to do with it. But data security is also very important for many other reasons. An IT environment does, after all, have security vulnerabilities, and scandals caused by hacker attacks or malware don't look good in any company's portfolio. Julian Totzek-Hallhuber explains on why DevSecOps has become the standard so quickly. Below we summarize his article for you.
Two men can be seen from behind, sitting in front of monitors with lines of code.

Importance of data security

According to a survey by Coleman Parkes, 88 percent of companies in Germany swear by their DevOps culture, which has become a crucial factor for success. DevOps allows them to combine dynamic processes in development with reliable IT. This makes development faster, more agile, and it meets the requirements of a digital business environment because experts from different fields come together to find the best solutions. Nevertheless, it is striking how many companies only worry about security gaps when a problem arises or an audit is imminent.

How does DevOps become DevSecOps?

Those who shorten release cycles become more profitable, but usually run a security risk. This is due to the fact that development teams are under high time pressure and therefore neglect the security aspect. Veracode published in a "State of Software Security" report that over 85 percent of all programs have at least one weakness and even 13 percent have a critical vulnerability. The vulnerability in the program is only part of the challenge. Finding them is the real sticking point. Often it is simply because the developers do not (cannot) take enough time to specifically look for weak points. Only those weaknesses that are found can be fixed. The aspect of "time" plays a role here, because the sooner the application can be brought to market, the better. It costs time and money to search for weaknesses and eliminate them. Here it is necessary to weigh up: Do I invest more time in another testing phase to discover and fix any weaknesses or do I take the risk that they will be found only after the release, in the worst case by a hacker? Data leaks or program failures can, of course, also lead to criminal problems or result in fines. And then there is the potential damage to reputation. All of this must be taken into account. The "State of Software Security" report states that in 70 percent of all cases, vulnerabilities persist for one month after release, and in more than half of all cases for more than three months. At the same time, the cost of fixing a bug after release increases tenfold compared to pre-release testing. So the calculation should be quite simple, shouldn't it?

Security during development departments

This is exactly where DevSecOps comes into play. Security is integrated into the development process from the very beginning and is not a detached topic. DevSecOps prevents the issue of security from being forgotten. But one benefit is that it also saves the development team from retroactive troubleshooting. Annoying additional rounds that have to be made because of a security issue are eliminated. Scanning for security vulnerabilities is done in parallel during the development phase. Each team has a person responsible for IT security who works closely with the developers. So far, there are not too many companies in Germany that have already fully internalized DevSecOps. But according to the "State of Software Security" report, these companies are very successful with the approach. Instead of the average six vulnerability scans per year, companies that work with DevSecOps perform an average of 300 scans. As a result, weaknesses are remediated more than ten times faster. Even with just 50 scans a year, the number of vulnerabilities can be cut in half.

Implement DevSecOps

The advantages are therefore obvious and are also known to most companies, at least in theory. Implementing DevSecOps methods requires a high degree of willingness to cooperate between experts from different areas who are not used to it. The technological component is comparatively simple. It mostly depends on the attitude of the various parties involved whether the implementation of DevSecOps will be a success. On this issue, it has been shown that appropriate training can reduce the hurdles and increase the chances of success. The corporate culture plays a decisive role, as does the attitude of the management level, which must be fully behind the agile concept.

Security must be part of the basic equipment

Julian Totzek-Hallhuber draws his conclusion: Application security must not be a nice-to-have, but must become a basic requirement if companies want to be successful in the market. He is convinced that the benefits are so overwhelming that no one can actually realistically decide against DevSecOps. Fortunately, vendors have long recognized this and there are now really good solutions that make working in a DevSecOps team easier. Examples are RASP (Runtime Application Self-Protection) and SCA (Software Composition Analysis). This means that the implementation effort is minimal, at least on the technical side.
Author: IAPM internal 

Key words: Project management, Agile project management, Methods, Security, DevSecOps

The IAPM certification

The certification can be taken via a reputable online examination procedure. The costs are based on the gross domestic product of your country of origin.

From the IAPM Blog

Become a Network Official

Do you want to get involved in project management in your environment and contribute to the further development of project management? Then become active as an IAPM Network Official or as a Network Official of the IAPM Network University. 

For better readability, we usually only use the generic masculine form in our texts. Nevertheless, the expressions refer to members of all genders.