AppDev Done Right Summit | Research Spotlight - DevSecOps: Security by Design

Clips
News
More from AppDev Done Right Summit

Jon Oltsik

Principal Analyst in Residence

theCUBE Research

From GitOps to observability: AppDev Done Right Summit spotlights tools driving modern software delivery

Application development is undergoing a seismic shift as enterprises prioritize speed, scale and intelligent orchestration across the entire software lifecycle.No longer just about writing and shipping code, today’s application strategies are increasingly driven by AI-powered tooling, platform engineering and cloud-native design. As organizations push to modernize, they’re grappling with growing complexity, limited skill resources and relentless delivery expectations

play_circle_outline Introduction to DevSecOps: embedding security throughout the software development lifecycle (SDLC).

play_circle_outline Enhancing Development Efficiency: The Crucial Role of Early Security Integration in Software Innovation

play_circle_outline Enhancing Software Delivery and Security: The Impact of Shifting Left and DevSecOps Adoption in Enterprise Environments

play_circle_outline 70% of security issues arise in the code stage, highlighting the need for early scanning.

Info
Transcript

Research Spotlight - DevSecOps: Security by Design

Jon Oltsik

Principal Analyst in Residence theCUBE Research

TheCUBE’s Paul Nashawaty and Jon Oltsik discuss DevSecOps at the AppDev Done Right Summit, unpacking how security can be embedded across the entire software development lifecycle. Their conversation emphasizes integrating protections from code to cloud without slowing down innovation.

Together, they explore how shift-left strategies, automation and early collaboration between dev and security teams reduce risk and remediation time. Key insights include the role of static application security testing and the challenges of securing open source componen... Read more

explore Keep Exploring

What is DevSecOps and why is it important in the software development lifecycle? add

What is the role of security in application development and how can it be integrated into the development process to avoid slowing down overall progress? add

What is the significance of integrating security into the software development lifecycle (SDLC) and how does it impact remediation times in DevSecOps practices? add

What are some statistics related to security issues in software development and the importance of running security scans? add

bolt Powered by CUBE AI

Research Spotlight - DevSecOps: Security by Design

search

>> Welcome to this AppDev Done Right Summit session on DevSecOps, a framework for embedding security from code to cloud. As applications grow in complexity and speed of delivery increases, integrating security into every stage of the software development lifecycle or the SDLC is no longer optional, it's essential. In this session, we'll explore how DevSecOps practices and automation enable teams to basically shift left, embed controls throughout the pipeline and deliver secure software solutions without slowing down innovation. My name is Paul Nashawaty. I'm the practice lead and principal analyst for the AppDev practice at theCUBE Research, and I'm joined by Jon today. Jon, how are you doing?

>> I'm well, Paul. How are you?

>> Great. Great. Thanks for coming on. You want to introduce yourself to the audience?

>> Sure. I'm John Oltsik. I am an Analyst in Residence at theCUBE. I'm a security researcher, podcaster, and have been in the security industry since the early 2000s.

>> John, you completely undersold yourself. You are a legend in the security industry. That's what I know. So I am really excited that you're on the show today with me today. This is awesome. There's a lot to talk about. When you talk about DevSecOps, you talk about development. We have done an app dev summit that covers day zero, day one, day two. And now we're talking about DevSecOps and the automation, how it empowers teams to integrate security seamlessly through the entire SDLC. And this is reducing risk without sacrificing speed. Somebody told me early in my career that in order to go faster, you have to slow down. And I think that's where the code to build software stage and securities tools for scanning vulnerabilities as well as understanding those misconfiguration files or misconfigurations early. And it enables developers to fix issues before they actually happen. So Jon, when we're talking about deploying in the cloud and security policies that really help enforce through infrastructure as code and automating the pipelines to ensure consistency and secure environments, a lot of times we talk about compliance and runtime security, right? We talk about this in the context of how organizations can continuously monitor applications and look at infrastructure to detect anomalies as well as enforce policies, but also maintain regulatory compliance across dynamic and cloud-native environments. So I want to start with a couple of stats that I pulled from our latest research. We have some new research that came out. When we talk about DevSecOps and the adoption and value. Jon, when I think about how the adoption and DevSecOps practices impact organizations, can you talk a little bit about the ability to deliver software or code faster? And also what measurable values do you see as a result of some of this?

>> Sure. Well, security can't be the department of no, and so the thought that security can slow down the process, especially when it comes to application development for competitive advantage, that just doesn't work. So the more that we can get integrated in, the more that we can get integrated into the projects at the beginning, that we can do threat modeling, that we can get into the test phase and the dev phase the better. So I don't know that that's slowed down to speed up, Paul, but that's a good analogy. But the key is to just adhere security to what the developers are doing and how they do it in an automated fashion, in an integrated fashion, so that we are not in the way, but we are getting in early and securing every step of the dev cycle. So I'm not sure I answered your question, but go ahead.

>> Oh, you absolutely did. And I think when I think about this, I kind of tie what your response is back to our research. We see that 77% of enterprises have adopted or are actively adopting DevSecOps practices into their secure software pipelines. We also see that embedding security early in the SDLC, it reduces remediation time for upwards of 60% compared to fixing bugs in a post-deployment, right? And I think that those two things tie to what you were talking about, which is we have to look at this in the context of how organizations are doing their deployment, but it's not just these silos. I mean, we see that organizations are trying to shift left. Earlier on the sessions or the series that we had, Rob Stretchett was on and he was talking about... He didn't necessarily use the word shift left, but he was talking about using it in the context of what the developers can be working on. But what we see in our research that two times improvement for deploying frequency and three times fewer security-related rollbacks. And this is something that we're seeing not just in our own research, but we're seeing this across Git Labs and we're seeing this across DevSecOps surveys that are in the market today. So there's a lot happening here, and I'd love to get your perspective of why organizations, Jon, would be looking at adopting and the value of moving and shifting left. Why is this an important factor for organizations?

>> Well, I don't think they have a choice. I think that the more cloud-native development you do, the more you again have to adhere to what the developers want to do in the way that they want to do it. Now, from a security perspective, we've been screaming for years, get us involved earlier. A bug fixed in the dev cycle costs six times less than something fixed in the production cycle. So it's good for us too. And what we're doing, and we haven't talked about yet, is we're getting our software developers to be to security needs. So the more those two groups are working in parallel or cooperatively instead of in conflict, the better for security, the better for the organization. We'll get better applications, more secure applications, and we'll mitigate risk.

>> Yeah, Jon, I think that's right. When we look at the code to build stage of security, we see the tools and practices that organizations are using, they're using these tools to embed security into the code and build stages of the development cycle. That's why it's important to have this conversation in the context of an app dev or app modernization approach. It's not just about security and it's not about that app sec, but it's also about building reliable code so you can help catch vulnerabilities early in the development process. That's a big factor here. I also, and I want to share some stats with you here. We see that 70% of security issues originate in the code stage, yet only 29% of developers run security scans locally. That's kind of aligned with what you were talking about that, making sure that this happens at the developer level is... Being aware of it is important. We also see the adoption of static application security testing. These tools in the CISD pipeline leads to 49% of faster vulnerability detection. That's a big factor. If you're not running these things, you're open to those vulnerabilities. And then of course, I'd be remiss to not talk about open source. Open source is definitely a big part of the development cycle, but it's also a big part of... People have this misunderstanding that using open source opens up all these security issues, and that's far less from the truth. I think that open source dependencies, what we're seeing in the research is it makes up over 75% of code bases, but it also means that it increases the importance of S-fonds and supply chain scanning. And this also has to do with executive orders that are in place and the EU coming out CRA in 2027. That's an important factor as well. So governance compliance and regulations is a big factor. Love to get your thoughts on all that. There's a lot there that I just threw at you.

>> Well, I agree. I mean, again, so if software is going to eat the world, as Mark Andreessen said back I think this was in 2010, then it's got to be secure. And if our organizations are running on this software and we're developing it that much faster, then we as security teams need to figure out how to secure it. So you're absolutely right, but you did bring up some good points at the end there. Number one is we have to be able to trust the code we use, and if those are open source libraries, then they need to be scanned. We need to do the software bill of materials so that we know all of the components. And by the way, that makes it easier for vulnerability management if we know all the components in the software. And then compliance, absolutely. That's a given, but I think it's going to get tighter, and especially with the adoption of more AI application. So if you look at the EU, I think it's called the Artificial Intelligence Risk Management Act or something very close to that, that's what they're looking at. They're looking at exposures to the code exposures to the data that could impact consumers. And so that adds another dimension. Not only do we have to have secure cloud development, but we have to have secure AI development. And that may involve some new skill sets, some new tools, but it's a requirement.

>> Oh, absolutely. And I think what I really liked about what you were talking about here is we had on the AppDev Angle podcast, we had the Eclipse Foundation and we talked extensively about these new rules and governance that are coming in place. Let's come back to that in just a minute. I really want to kind of double click down on an area that we were thinking about we were kind of touching on is in deployment and cloud security, right? This is an area that organizations are looking to ensure security policies that consistently need to be applied during the development. But across the cloud environments, especially fast-moving CICD pipelines, we see that 80% of organizations experienced at least one cloud security incident in the past year, mainly due to misconfigurations. And that's a lot of an issue. I've talked to a lot of companies that are looking at dealing with the mitigation of misconfigurations ahead of time and not waiting until after the fact, deal with it ahead of time. So that's a big factor. Cloud native security tools such as policy as code, you would talk about policy is coded and enforced. That enforcement reduces misconfigurations by up to 70%. That's an area that we should consider as well. And then 61% of organizations require real-time security policy checks as part of their infrastructure as code deployment pipeline. Now, if all this is to say, I think, Jon, when I think about organizations large and small, and regardless where they are in their journey, there's these organizations that are watching what we're talking about today here. They want to understand a little bit about, hey, I'm either really early in my maturity here, I don't know what to do, or I'm fully mature and I do know what to do. What would you advise some of these organizations on how they can look at deployment and cloud security is a big factor for them.

>> I'd say, Paul, that the thing to do is to, number one, look at your framework and governance and compare it to other industry standards. In fact, what other companies in your industry are doing and make sure that you're up to par. Make sure that you have the visibility that you need throughout the development life cycle. So application down to infrastructure, but also understanding who's making changes, who has executive or administrator privileges, what accounts they're using, what passwords they're using. So it starts with the policy and the framework, and then it's applying those policies and frameworks and then it's monitoring those policies and frameworks. Now, there are often a lot of tools to do that, but the key is being able to again catch those policy violations, understand when we're out of sync with our policies or our regulatory compliance mandates and being able to do something about them quickly. In code, we have that opportunity. It gets more dicey with infrastructure and security because there are different teams that apply. But going back to your SDLC and DevSecOps, if there's tight integration between the development team and the security team, then you do have that opportunity to life cycle it. So you get the code out, you think it's secure, but then you do find a bug, but you're doing some kind of development... Well, you're doing rapid development and you can fix those things as quickly as possible.

>> Yeah, absolutely. And I think that that's a big factor. I think the last thing I want to talk about here is when we touched on it, and I want to bring it back, is the compliance and the runtime security. That's a big factor when we look at everything leading up to this because compliance and runtime is a big area where organizations are starting to kind of stroll out from their professional developers and let citizen developers do the work that traditionally a professional developer was doing. So you have to have governance and compliance in place. But when we think about these strategies and tools that are being used to maintain compliance, and really they need to enforce those security policies at runtime, particularly in dynamic and containerized environments, that's an area that I think is really that what I talk about, the app dev space, I talk about past, present, and future. And today containerized environments is what I would consider the present. We see that organizations are integrating compliance in the CI slash CD pipeline, and it really reduces the audit prep time by over 40%. And we also see that runtime threat detection and response tools are adopted by 52% of DevOps teams enabling that real time mitigation. But container security solutions with behavioral analytics reduces runtime and bridges by over 80%. These are narratives that I clearly like just a bunch of stats, and that's what we do as analysts, right? We talk about data and we talk about stats, but I would say that the spirit of each one of those bullets is incredibly important to consider regardless where you are in your journey. Would you agree?

>> Totally agree, Paul. And it really comes down to the old adage of an ounce of prevention is worth a pound of cure. So it is putting in those frameworks and policies in place, it is putting in the infrastructure to monitor and manage those policies in real time and have visibility across the whole development life cycle. If you've done that, then your ability to get some of the metrics that you suggested increase proportionately. If different groups are doing different things, there's different security tools, you don't have a common policy, then of course there's much more room for error. So it's really governance, governance up front. I'm training your people, making sure they're compensated to work together. So all the people factors too. Getting the policies right and then the technologies fill in the gaps.

>> John, there's a lot here to unpack. There's definitely a lot to understand, right? And I think that our 20-minute session here is only the tip of the iceberg. And I want to thank you for joining us on our AppDev Done Right Summit Session here for Dev Sec Ops. It's really focused on the embedding of the security into every stage of the software development life cycle from code to cloud. Jon, special thanks to you for sharing your expertise and real world insights and integrating the security and seamlessly without showing or slowing those innovations. I think those pieces are really important to the developers. As we've seen on this session and throughout the App Dev summit, dev sec ops is not just about tools, it's about culture, automation, and continued vigilance, and also it's about that company that drives it forward. So stay kind of focused on that. And with that said, stay secure, stay agile, and keep building applications done right. Thank you for attending the session.