In today's business world, three harsh truths are facing established leaders in almost every industry:
- they are prone to disruption by competitors who are better at software innovation.
- they are prone to attacks by criminals who know more about security than they do.
- they are scared to death, and pressuring their own IT leaders to deliver innovative applications faster -- and more securely -- than ever before.
With this in mind, I wanted to reflect on how the simultaneous "need for speed" and "quest for control" is not only driving organizations to embrace DevSecOps -- but is also revamping what it even means to be an application security professional.
As the CMO at Sonatype, I've had the opportunity to explore this topic with countless people over the past few years including: analysts, customers, prospects, partners, and even competitors. In every instance, there is a strong sense of agreement; the role of security within modern software development is undergoing serious change.
So, what does this change look like? How does it manifest organizationally? What does it mean in terms of technical skills? Human skills?
Evolution, Not Revolution:
From my perspective, the changes occurring within the AppSec profession are still in the early days. DevOps itself is still emerging, although clearly accelerating. More recently, the concept of DevSecOps has arrived as a distinct best practice aimed at baking security teams into the development process itself without slowing down innovation.
In aggregate, the pace of change occurring within the AppSec profession maps fairly well with Gartner's prediction which states that by 2021, DevSecOps practices will be embedded in 80% of rapid development teams, up from only 15% in 2017. Furthermore, the winds of change are reflected in brand new survey data which reveals a 15% YoY increase in adoption of DevSecOps practices from 2017 to 2018.
The Changing of the Guards:
CEOs everywhere are pleading with their teams to develop innovative applications faster and more securely. The pressure to perform is intense and, in my experience, it generally leads to two types of AppSec professionals working on the job.
Visible Gate Keepers:
"Visible Gate Keepers" are traditional AppSec professionals working for IT organizations defined by waterfall-native practices.
On one hand, they are responsible for building and leading enterprise security architecture and vulnerability management. They have a clear mandate to design and operate a security apparatus to defend their organization from risk. In pursuit of this mission, they create multiple toll gates to inspect security hygiene at different points along the software development lifecycle. They strive valiantly to defend against evolving threats and keep developers in compliance with defined security controls.
On the other hand, their own colleagues in development typically view them as inhibitors to innovation -- not partners in innovation. They suffer from chronic fatigue associated with manually inspecting developer practices in an attempt to enforce compliance with defined security policy. They often find themselves navigating a chasm of misunderstanding: coders believe that security diminishes productivity, while they themselves are frustrated that coders don't take security more seriously.
Invisible Helping Hands:
"Invisible Helping Hands" are modern AppSec professionals working for IT organizations defined by DevOps-native practices.
The concept of the invisible hand was introduced more than 200 years ago by Adam Smith and describes how productivity and outcomes are necessarily improved when efforts accurately reflect what investors and consumers both want. In today's modern world, it's remarkably clear that business stakeholders and consumers are both demanding the exact the same thing: faster innovation and better security.
To this end, modern AppSec professionals typically originate from a software development background. They, themselves, have written tons of code and made many mistakes along the way. They've experienced the frustration and lost productivity associated with false positives and cryptic security reports. They've also witnessed, with their own eyes, the catastrophic costs of poor security. They are committed to fundamentally changing how software is made such that security is "built in" form the start -- not "inspected in" after the fact. They believe in their hearts that the ONLY way to to get app security right is to empower developers to make it right. Rather than creating "toll gates" to inspect security -- their objective is to create invisible "guardrails" so developers can move swiftly and confidently to deliver applications that are secure by design.
While both types of AppSec professionals share the same goal: delivering software to the market that is fundamentally secure -- only one of these personas is natively aligned with the critical objective of doing it faster than ever.
The advancement of DevSecOps and the proliferation of invisible helping hands will enable organizations to integrate, automate, and scale governance across every phase of the SDLC, without slowing down innovation.