Death of DevSecOps, Part 2

DevSecOps is Broken
AUTHOR
Travis McPeak
PUBLISH DATE
June 4, 2024

In part 1 of this series, I covered the history of security in the early days of the cloud revolution. Circa 2014, DevOps practices started to be adopted by security teams, resulting in the era of DevSecOps. We’ll cover this concept, the dreams of so many, and the reality that ensued.

Security is a laggard

One pattern that I have observed about security teams is they are slow to change. Security was not a forethought in the pre-Internet days, because it was never really a problem. These teams were only created after internet adoption started becoming more widespread, and they integrated into the waterfall processes of the early days - because that is how development teams worked with infrastructure teams.

After cloud infrastructure became available, DevOps as a practice started to spread like wildfire as we covered in part 1. Why did it take security teams 10 years to fully adopt agile practices and integrate security into DevOps?

  • Traditional security focused on building a strong perimeter for a static environment. While the rapid iteration and change of DevOps was a boon to development teams, it was naturally uncomfortable for security teams.
  • New tools and processes meant new attack vectors: something security teams are naturally wary of
  • Security teams were not incentivized to move quickly, given they were a standalone, siloed organization
  • They started first by trying to apply legacy processes such as waterfall-style review and approval, to an agile methodology - and this failed

From DevOps to DevSecOps: the dream

By ~2015, it had become apparent that security had lost their gate. As DevOps became the de facto standard, established security teams started losing political capital as they impacted development lifecycles by resisting change. As challenger companies saw success by shipping quickly and cheaply, it became obvious that established security waterfall style could not continue. VC money poured into challenger tech companies that applied the same concepts to security that they were applying to development: shifting decision-making and implementation onto the engineer.

DevSecOps appears to have been coined around 2014, usually attributed to Shannon Lietz of Intuit. The promise of DevSecOps was to further speed development lifecycles without sacrificing security, by embedding security choices into DevOps (hence DevSecOps). Security and software leaders thought they could:

  • Save money on security teams by turning them into guideline providers
  • Get security for free from developer teams, who would make practical choices to enforce guidelines
  • Proactively support developers with automation

However, the dream of DevSecOps ignores some realities that make it a failed practice.

DevSecOps: The reality of today

As DevSecOps was adopted throughout the late ‘10s and early ‘20s, it became clear that the benefits did not materialize as promised. Don’t get me wrong, there have been some improvements:

  • Some integration into change management: CI process that can enforce security reviews before deployment happens
  • Multi-environment support: Build pipelines can progress the same build through environments

This marginal progress isn’t enough. There are too many vulnerabilities, too many issues, and not enough time for the manual world of security that we’ve built for ourselves. It turns out that pushing security into DevOps processes sucks for all of those involved. Security teams are overwhelmed, spending all their time measuring faults and making lists of vulnerabilities. Devs are spending unnecessary cycles on security config, when they want to do actual development.

We’ve been left with the worst of both worlds with DevSecOps of today. Why is that?

Devs aren’t security or infra experts

One of the primary assumptions of DevSecOps was that developers would be able to make security and infrastructure-related decisions that were correct. Turns out that in practice, this is not the case. Why? Developers aren’t security or infrastructure experts, and they don’t have the time to become experts. Instead of addressing the fundamental problem, we try to up-skill our developers on security and force training hell onto everybody involved.

Consider a scenario where a developer wants to deploy using an Azure VM and write from that VM to blob storage, and a security team stipulates that it should only be deployed within a company’s VPC. Only an experienced Azure infrastructure expert would be able to configure this in a time-efficient way: this requires 5+ different resources, and if you’re using something like Terraform it requires even more expertise!

Automation has failed us

Another key expectation by early DevSecOps experts was that automation would make up for developer time. Platform teams started to emerge in the late ‘10s and early ‘20s, providing tools for developers to move faster. To date, security automation is primarily a reactive function: we still expect configuration decisions to be made by developers, and we serve them a list of issues to fix after the fact.

Worst of both worlds

DevSecOps has evolved into the worst of both worlds. With developers that aren’t experts in security or infrastructure, and a lack of automation, we now have:

  • Rampant misconfiguration
  • Frequent incidents and outages
  • Constant triage of issues
  • Reactive posture management, resulting in huge backlogs of security issues
  • Overwhelmed developers who don’t want to engage with security
  • A lack of clear ownership means when there’s a problem, it is unclear who needs to act

This means the Sec in DevSecOps hasn’t kept up its end of the bargain. We’ve only marginally improved (and that’s debatable), and we’re only incrementally more secure.

The answer? Secure-by-default

In part 3, we will cover the future: secure-by-default. New tools and technologies mean that we can take the burden of security and infrastructure configuration off developers’ plates, allowing software teams to ship quickly and companies to preserve security and reliability.

Ready to get started?

Set up a time to talk to our team to get started with Resourcely.

Get in touch

More posts

View all
September 23, 2024

Insights from the a16z Security Theme Week 2024

Takeaways from meeting dozens of security leaders at Fortune 250 companies
July 29, 2024

Announcing Resourcely Guardrails

How cloud infrastructure policies keep configuration on the rails
October 24, 2024

Use cases for Resourcely's configuration platform

Domain-specific applications of Resourcely with tutorials, walkthroughs, videos and more

Talk to a Human

See Resourcely in action and learn how it can help you secure and manage your cloud infrastructure today!