How to make developers accept DevSecOps
According to a recent Dynatrace report, only 50% of CISOs believe that development teams have thoroughly tested the software for vulnerabilities before deploying it into the production environment.
This is a statistic that needs to change and the only way to change it is to make sure developers are on the same page as security practitioners.
The challenges
Making developers accept the importance of security in their software development process comes with numerous challenges. They can be split into four categories:
- Tool-related challenges
- Practice-related challenges
- Infrastructure-related challenges
- People-related challenges
Integrating security tools into existing DevOps tools can be complicated. “A significant barrier in implementing security into [DevSecOps] is the differences in tool-sets between security and other teams,” researchers Roshan N. Rajapaksea, Mansooreh Zahedia, M. Ali Babara and Haifeng Shenc noted. Also, each team member has their own preferences in tools based on specific advantages.
Some toolsets may also be inadequate, and without standards or documentation developers will have even more difficulties with the integration.
Practice-related challenges involve automation and deployment. DevOps processes are mostly automated, but security requires human action, i.e., manual security practices that are difficult to automate.
Developers are also all about pushing the product as soon as possible, yet, by implementing DevSecOps, the development process needs to slow down to allow possible vulnerabilities to be fixed.
When it comes to infrastructure, a complex cloud environment can slow down secure software development, while a multi-cloud environment can pose difficulties when securing data. Highly regulated environments (air-gapped environments, medical infrastructure, etc.) can also make DevSecOps adoption difficult.
Finally, there’s the people-related challenges: developers may have difficulties with the imminent changes that DevSecOps bring to the development process, and may lack security skills required to carry out certain security practices in DevSecOps.
CISOs and developers (69% and 64%, respectively) both see that the lack of communication and collaboration between developers and security teams is a significant problem.
Implementing DevSecOps will also not work without the right knowledge, which developers have yet to build.
The solutions
To make developers accept DevSecOps, they need to be heard, which means making sure they have a say when security decisions are made. This can contribute to a more productive and constant collaboration and communication between security and development engineers, while also defining roles and responsibilities.
Shifting left is a must, but developers need to know exactly what is expected of them when it comes to secure coding.
“A big part of improving the DevSecOps experience is not introducing more tooling, but getting clear on the process and expectations of how developers should use the tools they already have. Clear communication about policies ensures an organized and consistent approach to implementing security throughout the SDLC,” says Nick Liffen, director at GitHub Advanced Security.
Training is an important part of DevSecOps implementation, but developers need to be reassured that their job will not be disrupted when security gets integrated into coding.
To further motivate them, it’s good to let them see that knowing how to code securely can contribute to both the company’s success and their personal growth.
Learning that being a DevSecOps professional is a good career choice can additionally boost their motivation.
“Between 2021 and 2028, the DevSecOps market is expected to grow at a CAGR of 24.1%. DevSecOps professionals have several job opportunities as a result of this rapid rise. This demand is expected to grow as more companies adopt DevSecOps practices,” said Misbah Thevarmannil, content lead at Practical DevSecOps.