Skip to main content
August 25, 2016

Why DevOps Is Not DevSecOps

The IT industry has long welcomed DevSecOps, yet it is still poorly adopted. Gartner tellingly defines its status as: “Trough of Disillusionment.” What is inhibiting adoption? For the answer, look at its definition, and you will sense something odd. It is defined as a set of processes, people, methods, models, policies, culture, recipes, blueprints and templates. 

This list misses the most essential element: a technology. Why do other markets and concepts point to respective technologies, yet this is not the case with DevSecOps? WAF has its firewalls, SIEM has repositories, tokenization has servers, and only DevSecOps has no specific technologies. An answer that any security technology can be applied is not convincing, otherwise DevSecOps would already be widely adopted.  

We would argue that DevSecOps is in need of technologies with specific features – technologies that application development, operation and security specialists don’t have to learn, see and run. Only these technologies will seamlessly integrate into DevOps, making it DevSecOps.

Such new technologies have recently emerged. First, runtime application self-protection (RASP). RASP doesn’t need to be learned; it invisibly integrates into an app server, and always runs by itself. 

A related technology is IAST, interactive application security testing. IAST runs in close proximity to developers and testers; it is almost transparent and requires minimal efforts to learn and run.

In addition, some long-existing technologies will transform to fit DevSecOps – beginning with SAST: static application security testing. SAST will become practically real-time and zero latency, enabling developers to continuously test code security in increments, even before committing it to the central repository. Some other technologies, like software composition analysis (SCA) will also follow this path.

These new and modified existing technologies will create the backbone for DevSecOps.

These technologies are coming to the market, and application development and security teams, CIO and CISO offices should plan their adoption. Only new and transformed existing technologies will enable DevSecOps: a secure DevOps.

In my next blog post, I will continue this discussion with the subject of re-tooling application security for DevOps and making it DevSecOps-enabled.

Joseph Feiman is Chief Innovation Officer at Veracode. In this role, Joseph is responsible for advanced technologies that drive innovative detection and protection strategies. Joseph is a recognized industry leader with nearly two decades’ experience in application development and security, analyzing the market for Gartner Research.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.