New Research Suggests Unseen Benefits of DevSecOps

Written by Tim Chase, Global Field CISO, Lacework.

DevSecOps continues its ascent in cybersecurity. The “better together” story of integrating security as early as possible in the development process continues to prove true — and people continue to buy in. Even those that haven’t yet adopted these practices at least have plans to do so. And the minority of those digging in their heels shrinks by the day.

A few weeks ago, Lacework and Enterprise Strategy Group (ESG) published a new report — Cloud Detection and Response: Market Growth as an Enterprise Requirement. For the report, ESG surveyed nearly 400 IT and cybersecurity professionals, including a large share of application developers, on their relationship with cloud detection and response (CDR).

The study itself produced many fascinating insights around multiple aspects of modern cloud security: CDR trends (obviously), attitudes towards agent-based and agentless approaches, top SecOps challenges, and budgetary trends. However, probably most surprising to me was a section on the relationship between DevSecOps and CDR.

If you’re like me, you may think the DevSecOps focus and benefits are limited to build time. But can the benefits extend into threat investigation? This is exactly what the ESG research seems to suggest.

So how do SecOps teams benefit from DevSecOps practices? The research zeroes in on 7 benefits, but let’s hit the top 3.

Threat modeling maps an attacker’s playbook

The most cited reason CDR is enhanced by efficient DevSecOps is through the process of threat modeling (chosen by 44% of survey respondents). Specifically, respondents indicated that threat modeling helps SecOps teams imagine how adversaries attack so they can, then, plan adequate countermeasures.

Threat modeling is a practice whereby teams from across the organization (e.g., development, operations, security, IT) collaborate early in the software development life cycle (SDLC) to identify and address potential threats and vulnerabilities in a system or application. By breaking down a system into its components and data flows, potential threats are recognized, vulnerabilities assessed, and risks evaluated.

Traditional threat modeling involved time consuming meetings that would slow down or halt application development. This runs against the basic tenets of DevSecOps, which seeks to balance development speed and security. However, modern “shift left” tooling can help automate the process. Then these insights can “shift right” into SecOps territory, allowing security teams to proactively anticipate potential attacks.

Teamwork makes the dream work (faster)

Survey respondents indicated that another top reason why DevSecOps serves cloud detection and response is by accelerating remediation activities in case of a cloud-focused attack (chosen by 42% of survey respondents). In some ways, this is a bit of a no-brainer. Obviously, if security teams are collaborating with development teams on a regular basis, they’ll be primed to respond quickly in case of an exploit.

But modern cloud security tools could also play a role here. The vision of the cloud-native application protection platform (CNAPP) is one of tool consolidation, where a single platform would cover an entire cloud estate, from development through to production. If this vision is fulfilled, a single platform could both operationalize DevSecOps and be used for CDR. And, in the case of such a tool, threats detected could seamlessly be exported to developer workflows for remediation.

Knowledge is cybersecurity power

Another most cited reason why CDR benefits from DevSecOps practices? Education. Survey respondents indicated that the required advanced security training for developers and cloud operations groups helps keep threats in check (chosen by 42% of survey respondents).

I’ve spent some time overseas, and I can attest that communication is easiest when you’re speaking the same language. And this is especially true in crisis situations, right?

I think this is what the ESG research is getting at here. In the moments where attackers have evaded our defenses — where every second counts — we have to make sure that all parties involved in fixing the issue have a common understanding. And if other non-security IT teams have an active hand in cybersecurity practices before a cyber incident even happens, they’re likely trained and ready to act when a crisis situation comes knocking.

”Better together” keeps getting better and better

I found the findings of the report encouraging. I’m glad that DevSecOps continues to produce benefits for organizations, even beyond the obvious. Gone are the days of development and security going together like peanut butter and mustard. In fact, in response to a survey question about the top security challenges in the face of faster development cycles, the least cited option was “developers don’t want to work with security” (24%).

The oft contentious relationship between security and developer teams is by no means perfect. Friction still exists, as security teams push for safety at all costs and developer teams push for speed at all costs. The two teams may not yet fit like peanut butter and jelly.

But, hey. At least we’re getting closer.

Click here for full access to the ESG study, Cloud Detection and Response: Market Growth as an Enterprise Requirement.

About the Author

Tim Chase leads the Global Field CISO team at Lacework and co-hosts the Code to Cloud podcast. Tim is a 20 year information security veteran with deep experience advising business leaders on cybersecurity decision-making. Recently, Tim has been focused on DevSecOps, having spoken on the topic at many industry events.