The world keeps getting faster. People use their phones to do work on the bus. They check their Instagram and Twitter accounts in the movie theater. Attention spans have plummeted and people expect to get what they want when they want it. This may not be the way things should be, but it is the way they are. This high-paced culture is also affecting the business world, where companies are expected to deliver fast in order to keep customers satisfied and stay competitive.
Software development has been evolving for decades
Software development models have been progressing for many decades, with methodologies ranging from Waterfall, Spiral, the V Model, to Agile today. At every step of the evolution, there is a natural tendency to apply the latest framework and feel like you've reached the pinnacle of performance. But there are always people pushing beyond to discover or invent what's next. DevSecOps is the current state-of-the-art for integrating security into the software development lifecycle, but the way we do it today isn’t the end-state. It is still too linear and rigid. That must change.
DevSecOps evolution - continuous but still sequential
When we moved to Agile, we saw tremendous value in shifting from sequential to continuous processes. We were able to adjust on-the-fly and adapt to new information as we learned it. DevOps and DevSecOps are characterized in much the same way. You often see them represented by an infinity loop. There are many flavors and differences in steps, but adding in Security, the process generally looks something like this:
DevSecOps - The Existing Sequential Approach. Gartner. How to adapt application security practices for DevOps. Frank Catucci. Technical Spotlight sessions 2020.
Here’s the rub: Development and Security teams see a continuous loop and believe that we have reached the end game. But this approach is still a series of independent steps in a sequential process, albeit one that is forever repeated.
Evolve to a continuous & simultaneous approach
Nothing is linear anymore. The code is the design and each step can influence another. By processing data simultaneously, we can learn more and make better, more informed decisions. Security requirements and threat modeling can give information on when and where to perform SCA and SAST scans. Likewise, scan results can let us know where we missed a key element in our design or threat model. By integrating and coordinating these stages, the DevOps process can be updated to look like this:
DevSecOps - Continuous & Simultaneous.
By moving to this continuous and simultaneous model, we are able to improve the speed of the entire DevOps process while reducing wasted steps, time, and cost. Imagine doing a threat modeling session while knowing exactly where the risky material changes are in your code!