background image

Blog

Will DevSecOps replace Agile?

certification

When DevOps became a stronger buzzword around 2019-20, the comparisons with agile were rife to the extent that obituaries of agile were written by enthusiastic people, who thought that agile was a fad to begin with. A fad which continued from the year 2000, since it began. It is not relevant to say DevSecOps vs agile, because we cannot say something like security vs software delivery.

In the process of developing software, agile as a reiterative method and practice was celebrated as it involved discovering requirements and developing solutions by cross-functional teams, who huddled to self-organize and collaborate. The agile development methods’ focus was on iterative development cycles and a whole industry sprung around it with agile conferences, agile certifications, agile CoEs and so on. At that time, security was not thought of as an area, which needed that much focus.

DevOps came about as a concept in 2008 to stand before agile in the software development process. It was about constant and continuous testing, improvements and faster delivery.

DevSevOps is an important concept in IT and software development today, without the frills that were there, when DevOps began its accession to be a celebrated concept. We explained about DevSecOps and its best practices in our recent blog.

Security takes centre-stage with DevSecOps

DevSecOps showed that without security as an important component right at the beginning of the development stage, data leaks, data loss, cybersecurity threats, attacks and loss of reputation could be imminent.

With each concept, the approach of the program manager shifts. With DevSecOps, instead of just ensuring that the software is in compliance or meets a certain specification or audit requirements, it also has to take all the steps and use the tools and methods to ensure that the code is written as correctly and securely as possible to hold up against future cybersecurity attacks or risks.

Why agile is not enough?

DevSecOps is comprehensive as it envelops and integrates the security for the application and infrastructure into Agile and DevOps processes and tools, while agile aggressively focuses on creating minimum viable products with speed as a tenet to follow among teams.

The benefits of DevSecOps are many and one strong case for it is its cost effectiveness and the diminished possibility of being at risk due to an unsecure code. This creates a stronger and robust cybersecurity system.

If a DevOps engineer is multi-skilled, then a DevSecOps engineer is a well-rounded professional who is adept in software development as well as other practices of threat modelling, risk assessment, automated security testing, cloud, infrastructure and more.

While agile works on the vulnerabilities and fixes a bug or introduces a patch at a later stage when the application is already live or about to be delivered, DevSecOps ensures security in the planning stage itself, even before the application code is written.

Regulations add a whole new dimension, as certain industries are tied to adhere to regulatory requirements and compliance. Agile alone cannot deliver on this requirement. It is not a matter of choosing between application delivery or application security, but both are required. Only delivering on the parameters of faster time-to-market, good design, creating good user experience by working on user feedback, better infrastructure and continuous monitoring and improvement is not enough. Like we said before, DevSecOps vs agile is an inapt comment.

DevSecOps vs agile: Is one a replacement for the other?

Agile development focuses mainly on releasing quality software in a timely manner. DevOps involves a set of technical processes such as: Continuous Development, Continuous Integration (CI), Continuous Testing (CI), Continuous Deployment (CD) and Continuous Monitoring. Cdoes build on some agile development principles, such as the continuous integration and delivery of software systems in cycles, its key emphasis from the beginning of the process is to integrate security features. Like DevOps was an improvement over agile, DevSecOps is an enhancement over DevOps.

Summary

Agile fosters collaboration and constant feedback. But unlike DevSecOps, it doesn’t cover software delivery through testing, QA, and production. DevSecOps completes the picture by providing methodologies and tools to facilitate agile adjustments.

Today’s environment of automation, multi cloud infrastructures, vulnerabilities due to endpoint security and nefarious bad actors demands that there is no debate on the security aspect. So, the question will not be centred around DevSecOps vs agile, but how release engineers, development and security teams can work together within the agile framework.

A recent Kaspersky report suggested that as many as 726 million reported cyber-attacks had occurred since the start of the year, putting 2020 on track to rack up somewhere in the region of 1.5 billion cyber-attacks per year.

Security mindset is not a trend, but is a way of life for organizations. Integrating security practices into the development and operations cycle ensures that the product is delivered with speed, has the utmost security against possible attackers and threat actors and is continuously improved upon. Needless to say communications and collaboration becomes a key among the development, operations and security teams, with the end user, customer and business being informed as well.