With DevSecOps, Security Is No Longer An Afterthought

Forbes Technology Council Elite CIOs, CTOs & execs offer firsthand insights on tech & business. Opinions expressed by Forbes Contributors are their own.

Post written by

Dr. Rao Papolu

Dr. Rao Papolu is CEO of Cavirin Systems, a provider of continuous security assessment and remediation for hybrid clouds and data centers.

Dr. Rao Papolu ,

Shutterstock

It’s cheaper and easier to build proper security in from the start.

The software development landscape is constantly evolving. Developers are under pressure to realize concepts faster than ever before without compromising on quality, all while keeping a keen eye on the overall cost. It can be a tricky balancing act.

As more and more of our software and data has moved online into the cloud, the risk of security breaches has grown enormously. Amid an epidemic that has seen the theft or loss of more than 9 billion data records in the last five years, there’s a growing realization that security must be at the forefront of our minds.

We can no longer afford to treat security as an afterthought. It must be stirred into the development mix earlier and automated into our increasingly fast flowing software development pipelines. If we accept that good progress has been made in terms of our workflows and processes over the last two decades, then it’s clear that DevSecOps is a natural next step.

The Bottom Of The Waterfall

We’ve been here before. The waterfall development process was usurped by the agile movement because an agile approach allowed us to produce better quality software faster. Breaking things down into big separate steps, completed in silos with little communication between them, is an incredibly inefficient way to develop software.

Let’s just look at defect testing, for example. It used to be done at the end of software development in an unrealistically short window before the product was due to be released. The result was a flood of expensive to fix, hard to find bugs that developers rarely managed to deal with before the product hit the market.

When the National Institute of Standards and Technology (NIST) looked into the problem, it found that the relative cost to repair a defect rose sharply the later in development it was discovered. Fixing a defect identified during the coding and unit test phase was five times more expensive than fixing a defect in the design phase. If the same error wasn’t discovered until the integration and component test stage, it cost 10 times as much to resolve. That cost rose to 15 times during the beta test program and a whopping 30 times post-release.