With high-profile cyberattacks regularly hitting headlines, it’s not surprising more and more companies are embracing the DevSecOps movement. With the goal of incorporating security features and focus at every stage of the development process—from conception to release—DevSecOps brings development, security and operations teams together to build better, stronger processes and products—in theory, at least.
In reality, adopting DevSecOps isn’t a simple, single step; it requires new partnerships and processes backed by the full commitment of stakeholders. If everyone isn’t on board for this significant paradigm shift, it can easily fail. Below, 16 members of Forbes Technology Council share common reasons why DevSecOps efforts fail and how these missteps can be avoided.
1. It Becomes A ‘Department Of No’
Trying to impose a “department of no” style of security through DevSecOps is causing these programs to fail. To be successful, security programs must include developer productivity targets and aim for collaboration and education. Set guardrails instead of roadblocks (this is, of course, easier said than done). – Varun Badhwar, Endor Labs
2. It’s Viewed As A ‘Tools’ Problem
DevSecOps is tackled mostly as a “tools” problem, but in reality, it’s a “culture” (mindset) and “processes” (workflows) problem. Tools are foundational. They are necessary, but not sufficient. Placing proper focus on cultural and procedural aspects is a big challenge, but putting tools at the center of efforts instead of people is a fallacy. – Manojkumar Parmar, AIShield (Powered by Bosch)
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Collaboration Is Not An Equal Partnership
In driving better alignment between development and security, DevSecOps is a great strategy. It fails if collaboration is not an equal partnership and the pendulum swings too far toward development or security. When security teams try to force policies on stakeholders, they’re rarely adopted. DevSecOps practices are successful when there’s an equal collaboration between development and security teams. – Jim Barkdoll, Axiomatics
4. Security And Development Teams Are Siloed
DevSecOps efforts sometimes fail due to a lack of engagement and consistent two-way communication. Recent layoffs in the tech sector and folks switching jobs can also add to the creation of silos between security and developer teams. My advice to teams is to proactively encourage frequent dialogue and implement processes so that engagement and communication don’t break down when a team member leaves. – Caroline Wong, Cobalt
5. There’s Minimal Common Context Or Communication Between Security And Development Engineers
One reason DevSecOps efforts fail is they don’t start with a common context and trusted relationship between security engineers and development engineers. To avoid this, practice consistent communication between teams, detailing the needs and plans of each. In the most successful cases, embedding security engineers, at least part-time, in engineering teams is a great way to ensure communication. – Dave Merkel, Expel
6. Fixing Security Issues Slows Devs’ Productivity
The challenge with DevSecOps is that fixing security issues slows developer productivity. To avoid this, organizations must incorporate DevSecOps as a business-critical operation. Encourage techniques starting at the preproduction development stage to avoid time spent on fixing vulnerabilities. Organizations must also adopt tools that are fully integrated into the DevOps pipeline. – Shay Levi, Noname Security
7. Security Isn’t Fully Integrated Into Development Processes
DevSecsOps can fail when the security aspect is not fully integrated. To avoid this, integrate the security team into the development process from the outset and work closely with developers to ensure security is integrated into every stage. Conduct regular security assessments, provide training on secure coding practices and implement automated tools to detect and address security issues in real time. – Milan Dordevic, Proctorio Incorporated
8. Speed Wins Out Over Discipline
DevSecOps efforts fail when speed wins out over discipline. The desire to deliver upgraded functionality makes it easy to overlook security processes, including testing, patching and monitoring. The lack of segregation of duties may allow excessive access to production and the implementation of unauthorized changes. The end product could be buggy and vulnerable to cyberattack. – Howard Taylor, Radware
9. The Development Team Makes Changes Without The Security Team’s Knowledge
One reason DevSecOps efforts fail is a lack of collaboration between teams. Without communication and collaboration, security teams may not be aware of changes made by development teams, leading to vulnerabilities or compliance issues. To avoid this, create cross-functional teams that include representatives from development, operations and security teams to ensure everyone is aware of changes. – Pete Hanlon, Moneypenny
10. There’s An Unrealistic Timeline For Implementation
An unrealistic timeline can be a big issue. Implementing DevSecOps should be done with a phased approach; it requires gradual changes and automation that are well-received, understood, practiced and monitored. Well-documented processes and continuous education are mandatory to ensure the smooth functioning of DevSecOps, and we must take our time. Any effort to accelerate this work may result in overall failure. – Osborn Gomes, NIOSolutions Inc.
11. The Technical And Business Objectives Aren’t Fully Understood
Tech leadership needs to fully understand the technical and business objectives. The core of DevSecOps success is ensuring all teams plan and strategize the implementation. Placing security at the heart of the ongoing work of the other elements will go a long way toward ensuring a DevSecOps approach is successful. – Bankim Chandra, DotSquares LLC
12. There Aren’t Sufficient Resources To Address Both Customer Demands And SecOps Work
One reason DevSecOps efforts fail is there aren’t enough resources to manage customer feature demands versus DevSecOps needs. If your largest customers constantly put high-priority items at the top of the dev stack, SecOps work almost always falls below the cutoff line for dev resources. There needs to be an organizational commitment to the path, or you must take small bites to make progress. – James Beecham, ALTR
13. Features And Functionality Are Prioritized Above Security
The reason DevSecOps efforts fail is that they are not prioritized as highly as other aspects of development and deployment. Many companies have a tendency to focus on features and functionality over security, which can result in a product that has vulnerabilities that could have been avoided had dev teams put more emphasis on security. – Leon Gordon, Pomerol Partners
14. Security Specialists Don’t Understand The Software Development Process
Generally, security specialists come from a network background, are focused on risk and compliance and do not understand the software development process. Security teams seldom understand automated build servers, central code, containers and so on. This lack of understanding and scarcity of security experts makes this issue one of the main reasons DevSecOps efforts fail. – Kiran Bhujle, SVAM International Inc.
15. Roles And Responsibilities Aren’t Defined
A lack of shared responsibility and ownership is a key reason DevSecOps efforts fail. To avoid this, team members should have well-defined roles and responsibilities. There should be regular communication and training between the security, development and operations departments, and there should be a plan in place to address any potential security issues that might arise during development and operational processes. – Mahanth Mallikarjuna, Mergen IT LLC
16. Upper Management Hasn’t Fully Bought In
One reason DevSecOps efforts may fail is a lack of buy-in and support from upper management. DevSecOps requires a cultural shift in the way that development, security and operations teams work together, and this shift may not be fully supported or understood by upper management. Without their support, it may be difficult for DevSecOps initiatives to gain traction and be successfully implemented. – Ivan Novikov, Wallarm Inc.