Broadening the concept of devops, devsecops is an emerging organizational and cultural framework encompassing the orchestration of development, IT operations and security teams. In practice, its enabling technologies—continuous integration (CI) and continuous deployment (CD)—have transformed software development to make it agile, more reliable and more collaborative and incremental. Acceleration and precision have enabled state-of-the-art software enterprises to operate in ways not unlike the industrial factories of the past. And, like past industrial revolutions and manufacturing-based economies, the app economy depends on superior quality, secure products and high degrees of customer satisfaction in order to survive and thrive. As a result, the responsibility for ensuring the stability and resiliency of applications—from the production stage right through to consumer use—is pulled forward in the cycle to include developers.

This “shifting left” means that security testing can be deeply incorporated into app coding earlier, which heavily increases the likelihood that secure code will be produced in the first place, without costly late-stage fixes further down the road. However, this paradigm shift has a bunch of implications for security professionals and developers alike. It’s time to rethink responsibilities, break down silos and revamp the engagement model between the actors in a devsecops cosmos.

An iterative process no longer makes sense

In the pre-digital era, security testing for apps was solely the domain of the security folks, making the process complex, costly and lengthy. Testing was typically performed at last minute, right before the code was released for production—or worse, after the app was deployed to the world. Because of ambitious planning and tough deadlines, some releases even went live without any fixes at all—sometimes with disastrous consequences. On one hand, detecting and fixing security-related issues late in the development process was a major cost burden. On the other hand, when things went south post-release, the less-expensive rush to market proved to be false economy. 

9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]

But longstanding development paradigms are shifting, and security testing has transitioned from its usual late-in-the-game stage to become deeply embedded right from day one. Many organizations today use application security frameworks that require certain tests at various stages of development. This is an effective approach to application security that can substantially mitigate risk and, ultimately, result in much better outcomes. However, the number of applications is growing exponentially and the development cycles are accelerating at breakneck pace. Consequently, some organizations having a hard time to keep up with the demand for thorough, consistent and timely testing. The security folks never seem to have enough resources and capabilities to scale this undertaking.