At first glance, DevSecOps and Agile can seem like different things. In reality, the methodologies often complement each other. Let’s see how.
Agile is a methodology that aims to give teams flexibility during software development. DevSecOps is about adding automated security to an existing automated software development process. Both are methodologies that require high levels of communication between different stakeholders and continuous improvement as part of the process.
But how, exactly, does DevSecOps work in an Agile environment? and why does DevSecOps in Agile matter?
To understand how DevSecOps can work in an Agile environment, we must first understand what Agile is.
Agile is often synonymous with the idea of speed — that is, ship fast and ship often. However, as software developers move faster, the old security tools they were using can’t keep up. Security becomes a speed bump and is frequently bypassed in order to ship code quickly. Over time, the software becomes prone to leaks, breaches, and hacks.
DevOps was developed as a methodology that enables application developers and software release teams to work together more efficiently, with more cooperation, in order to deliver applications with higher velocity. DevSecOps is an evolution of DevOps, driven by the need to add automated security to the automated DevOps processes.
In spite of their differences, Agile and DevSecOps can be seen as complementary to one another because they are both trying to achieve the same thing: speed.
DevSecOps is primarily intended to avoid slowing down the delivery pipeline. However, badly structured and constructed software also has the ability to slow delivery down. As we move into a fully digitized world, ignoring security in the DevOps process can significantly reduce a team’s ability to remain Agile.
“Fake Agile” occurs when Agile processes are followed but not properly implemented. This means that teams are engaged in sprints, standups, scrums, and burndown charts, but the software produced is done in a haphazard way. Fake Agile is endemic across organizations that try to expedite deployments without understanding the need for properly implementing software in order to avoid breaking the existing application.
A crucial value of the Agile Manifesto is prioritizing “working software over comprehensive documentation”. However, this means more than the software simply performing its required functions. Properly working software involves everything that the software needs to work effectively and securely. This means thinking beyond just the core code for the features and functionality. It also requires the inclusion of other layers such as infrastructure and the security that surrounds it.
For teams and software to be truly Agile, they need to incorporate DevSecOps into their workflows.
Automation is a valuable feature for DevSecOps. This is because it enables continuous integration, deployment, and scaling in a way that allows ongoing maintenance and security assessments. By design and philosophy, DevOps already emphasizes speed through automated deployments. DevSecOps takes it one step further and automates security protocols, checks, and testing to ensure that the software is ‘world-ready’ and not just in a prototype.
When DevSecOps development cycles become part of an Agile sprint, they ensure that the software delivered remains robust and is updated against potential vulnerabilities.
Agile is also more than the ability to ship and deliver features and software. It includes the ability to respond to change from any source. This extends beyond market forces and competition to include vectors such as malicious actors and cyber attacks.
According to IBM’s Cost of a Data Breach Report 2021, the average cost incurred by a single data breach rose by almost 10% from USD 3.86 million to USD 4.24 million. DevSecOps is a preventative measure against cybercrimes and malicious data hijacking through various methods such as zero trust. IBM’s report says that organizations which adopted a zero trust approach reduced the costs of a breach by USD 1.76 million compared to organizations that hadn’t implemented this approach. Furthermore, those with mature DevSecOps processes were also able to contain a breach on average 77 days faster than those without.
With DevSecOps, security is built into the application during its development, making it easier to identify and resolve vulnerabilities sooner. This ensures that when software and its features are delivered, they maintain a baseline level of functional quality.
Agile is designed to help an organization maximize its profits by enabling developers to create software that enhances the ability to provide better products and services. However, the indirect costs of a breached application can result in lost revenue, diminished customer trust, reduced growth, and shrinkage in market share. Additionally, a breach requires the diversion of resources to resolve the breach and ensure that the software is structurally compliant with security needs.
Speed and security can work together, especially in a DevSecOps and Agile environment. Agile doesn’t mean your team needs to sacrifice security and DevSecOps doesn’t mean you have to sacrifice speed.
DevSecOps matters because when implemented properly with Agile, both speed and security can be achieved at scale. Agile is only achieved when the software delivered is able to adapt to changes with minimal friction. The integration of the developer, quality assurance tester, security expert, and ops into a single cohort of developers as a DevSecOps team allows for a cohesive piece of software to be built. This can lead to fewer bugs, better modularity, and automation. In turn, this reduces the software structural and architectural resistance that naturally comes with any change.