SDLC and DevSecOps: Moving to a continuous and simultaneous model

The world keeps getting faster. People use their phones to do work on the bus. They check their Instagram and Twitter accounts in the movie theater. Attention spans have plummeted and people expect to get what they want when they want it. This may not be the way things should be, but it is the way they are. This high-paced culture is also affecting the business world, where companies are expected to deliver fast in order to keep customers satisfied and stay competitive.

Software development has been evolving for decades 

Software development models have been progressing for many decades, with methodologies ranging from Waterfall, Spiral, the V Model, to Agile today. At every step of the evolution, there is a natural tendency to apply the latest framework and feel like you’ve reached the pinnacle of performance. But there are always people pushing beyond to discover or invent what’s next. DevSecOps is the current state-of-the-art for integrating security into the software development lifecycle, but the way we do it today isn’t the end-state. It is still too linear and rigid. That must change.

DevSecOps evolution – continuous but still sequential

When we moved to Agile, we saw tremendous value in shifting from sequential to continuous processes. We were able to adjust on-the-fly and adapt to new information as we learned it. DevOps and DevSecOps are characterized in much the same way. You often see them represented by an infinity loop. There are many flavors and differences in steps, but adding in Security, the process generally looks something like this:

DevSecOps – The Existing Sequential Approach. Gartner. How to adapt application security practices for DevOps. Frank Catucci. Technical Spotlight sessions 2020.

Here’s the rub: Development and Security teams see a continuous loop and believe that we have reached the end game. But this approach is still a series of independent steps in a sequential process, albeit one that is forever repeated.

Evolve to a continuous & simultaneous approach

Nothing is linear anymore. The code is the design and each step can influence another. By processing data simultaneously, we can learn more and make better, more informed decisions. Security requirements and threat modeling can give information on when and where to perform SCA and SAST scans. Likewise, scan results can let us know where we missed a key element in our design or threat model.

By moving to a continuous and simultaneous model, we are able to improve the speed of the entire DevOps process while reducing wasted steps, time, and cost. Imagine doing a threat modeling session while knowing exactly where the risky material changes are in your code

Focus on what matters, when it matters 

You are able to focus your time and resources on securing what matters. At the same time, identifying what is NOT as important is just as helpful. If a new code commit updates a microservice that doesn’t hold PII and is not deployed in a public cloud accessible via an internet-facing API, why should that code go through the same process as a risky material change? Spend your time and money elsewhere. Should you examine a brand new developer’s code more closely than for an experienced security champion? You bet.

It’s time to move past blindly following even state-of-the-art processes in every circumstance. One code commit is different from another code commit. Every developer is unique. Treat them that way.

If you’re interested in becoming an Apiiro customer to help push the boundaries of what’s possible, let’s talk!