SecOps and DevOps. They’re two sides of the same coin. But more often than not a divide exists between them that seems to always be growing . To an extent that makes sense in that SecOps is the gatekeeper, always thinking four steps ahead, the worrier, always considering what’s lurking in their environment that could be exploited. Whereas DevOps is the doer, more concerned with momentum, with delivery, with how the newest feature will improve the lives of users and move the company forward.
As we review what transpired in 2022 and set priorities for 2023, I would like to consider how with better alignment between SecOps and DevOps both sets of objectives can be realized.
How do we make this New Year a new beginning? Simple.
We look for common ground and agree on pragmatic steps to achieving what both desire. In the end, everyone is after the same thing, even if our methods differ. Our priority should be commonalities—commonalities to build on, so we can do better, be better, and avoid being a victim of a successful cyberattack.
COMMON PROBLEM #1: We are both dealing with code overload. What can we do?
So many apps, so many lines of code. DevOps and SecOps both struggle with the sheer volume of reports on whether something works and is defect-free. And with the mainstreaming of agile, the development cycle has only sped up as company leaders require more in a shorter amount of time.
What used to take years, is now expected in months. The likelihood of error has also increased, along with the probability of conflict between the developers who want to hit that benchmark and the security team who wants to make sure nothing can open the door to an attack.
What if instead of pushing the latest update through or putting the kibosh on an aggressive release timeline, we deferred to a neutral source? It could be a Center of Excellence, or it could be AI-driven software that gets beyond false positives to enable SecOps and DevOps to focus on a shortlist of blockers inhibiting both sides of the house.
COMMON PROBLEM #2: We are both dealing with increased attacks. What can we do?
The velocity of attacks and attack surface continue to grow unabated. 2022 wasn’t just the year cyber insurance rates skyrocketed, it was the year an entire country was taken offline. Will 2023 be any better? Let’s hope so. But, even better, let’s see what we can do to lessen the likelihood of these incursions.
As with our “code overload” problem, the challenge here is one of scale. SecOps and DevOps cannot hope to address the emergent cyber challenges without cooperation from each other and some form of automation.
There is nothing new about relying on such outside assistance. But what teams can align themselves with is the new generation of tools with the highest possible fidelity. Tools that can filter down threats to both what’s real and is reachable, so DevOps and SecOps both waste less time chasing shadows.
COMMON PROBLEM #3: We are both suspicious of AI, but for different reasons. What can we do?
DevOps fears being replaced. SecOps fears anything it cannot verify. The common problem here is our perceptions of AI.
The solution is not to concern ourselves with recursion nor doom-scroll our way through our lives. AI will only continue to be relied upon to solve some of our most persistent challenges. And rather than amplifying its deficits, we need to enhance and reinforce its attributes. DevOps and SecOps need to take an assistive approach that combines forward momentum with the ability to resolve threats in real-time.
As our own Bruce Snell explains in a recent blog post about ChatGPT, any AI is only as good as its dataset and without strict constraints, can be subject to dataset poisoning which negates the value of using AI in the first place. The solution is to ensure that assistive tools are only trained with accurate, high-quality data, which augment team capabilities for both SecOps and DevOps.
COMMON PROBLEM #4: We don’t get each other. What can we do?
The most high-level, persistent, ingrained problems can be resolved in the most low-tech fashion. Between hybrid work and the fragmentation of teams, it is easy for SecOps and DevOps to suffer from misunderstandings that lead to poor alignment. The higher desire to do good and serve a higher purpose can be outpaced by the immediate, and other business priorities.
The problems and solutions I have suggested so far have been high-minded. But there is one more and one that is so simple it often goes unnoticed: Go to lunch. Yes, that’s right. The heads of DevOps and SecOps should book time with one another to share a meal. There might not be an immediate return, but the next time there is a disconnect, I assure you there will be a quicker and more positive outcome.
As we set our sights on 2023 and brace ourselves for yet another year of cyberattacks making headlines, let’s set the proper tone by ensuring our DevOps and SecOps teams are properly aligned and in lockstep. Doing so will position your organization to deliver security defect-free code as needed to meet your plans.
_Gary Davis is CRO of_** ShiftLeft,** a disruptor and innovator in the world of DevSecOps and NextGen SAST and SCA.