Security is a major concern for software development and IT operations. Staying on top of how security shapes the DevOps landscape is crucial to business decisions.
Discover what experts have to say about the security concerns that DevOps is currently facing.
Cloud Tech Adoption
As enterprises increasingly adopt cloud technologies, with Gartner predicting that over 50% will be using the cloud by 2028, security can no longer be an afterthought. Instead, it must be seamlessly embedded into the Software Development Life Cycle (SDLC), commonly referred to as DevSecOps. This integration is so crucial that the Open Worldwide Application Security Project (OWASP) Foundation has developed maturity models to guide organizations at various stages of DevSecOps implementation.
As DevSecOps gains traction, organizations will adopt a shift-left approach, introducing security measures early in the development process. This includes integrating tools like Static Application Security Testing (SAST), open-source vulnerability scanners, and credential scanners into the build pipeline, as well as conducting threat modeling before development begins. Once deployed to production, automated tests to validate security features, along with scanning container images for vulnerabilities, will become integral to developing secure products. – Siri Varma Vegiraju, Tech Lead at Microsoft.
The Open-Source Elephant in The Room
For a long time, developers and security teams’ came to the agreement that ‘shifting left’ was the best way to prevent software supply chain compromises. Shifting left meant security evaluations were conducted earlier in the development process — often before any code is actually written.
The problem is that developers are not writing as much of their own code anymore. Software now consists of up to 90% of open-source and third-party components. As a result, many developers cannot answer the question, ‘What’s in your software?’ This leaves security teams unknowingly dealing with potential faulty software that doesn’t come to light until a breach occurs.
The open-source elephant in the room has led to security concerns that are shaping the way organizations approach DevOps. Today, more organizations are incorporating a paradigm shift in approaching security in the development process to combat today’s software supply chain attacks, called, ‘Shifting left of shift left.’ While shift left primarily focuses on early testing and quality assurance, shifting left of shift left extends this concept further by incorporating enhanced collaboration, automation and continuous improvement throughout the entire software development lifecycle. Specific steps to do so include:
- Understanding Risks Beyond Vulnerabilities – Ensuring that developers and security professionals understand the risks that lay hidden within the software is the first step and recognizing that vulnerabilities are only one dimension of risks. Inherent risks deep in the software supply chain can have serious consequences. Having the tools to identify inherent risks is critical.
- Select Foundational Tools – Shifting left of shift left begins with choosing the right foundational tools to assess open-source software components. Approximately 95% of open-source vulnerabilities are found in open-source code packages that are not selected by software developers and are indirectly pulled into projects.
- Prioritize Security in Development Tools – I encourage developers to opt for secure programming languages, frameworks, and libraries to ensure that security is integrated from the ground up.
Implement Real-Time Solutions – To shift left of shift left, developers need more than just a testing mechanism; they need a real-time security solution consistently assessing code. - Developer Training – Developers need to understand pain points, signs of issues, and implications of their decisions on the overall security posture can help alleviate tensions with security team members’ and create secure code from the start.
- Continuous Security Assessments – Security doesn’t end when the software goes live. Following development, organizations should have tools in place to conduct ongoing evaluations of code to help in the timely identification and remediation of vulnerabilities. – Nick Mistry, SVP, CISO at Lineaje.
Security is now at the forefront of DevOps, leading to the rise of DevSecOps, where security is integrated throughout the development lifecycle rather than being treated as an afterthought. Organizations are embedding security practices into their CI/CD pipelines, automating vulnerability scanning, and ensuring compliance checks are part of every stage of development.
This shift is changing the way DevOps teams operate. Developers are being trained in secure coding practices, and security teams are collaborating more closely with DevOps engineers to create secure, automated environments. The focus is now on proactive security—identifying and addressing potential threats early, before they become critical issues. As a result, DevOps has become more security-focused, with an emphasis on continuous monitoring, automated testing, and real-time threat detection.
Ultimately, security is no longer a separate function; it’s a fundamental component of DevOps, driving new processes, tools, and team structures. – Maksym Lushpenko, Founder & CEO at Brokee
Increased Security Breaches & Automated Security Testing
In an increasingly interconnected and digital world, it is no surprise that there has been a steady rise in the number and cost of security breaches over the last few years. As such, addressing security concerns is a top priority for any company, with the issue leading to a paradigm shift in the way organizations approach DevOps. Forward-looking companies are embracing DevSecOps approaches. These favor more holistic “Security by Design” practices that can enhance cyber resilience while removing conventional silos between DevOps and cybersecurity experts. In effect, DevSecOps integrates security as a shared responsibility throughout the entire DevOps process, starting from the early development stages, rather than relying on conventional security testing at the end of the DevOps lifecycle. – Andrew Pielage, Senior Software Engineer at Payara Services
One of the key enablers of this transition is certainly automation, already a pillar of DevOps. It supports automated security testing in the software development pipeline, flagging anomalies and untested code as a high-priority risk. As a result, developers can benefit from a continuous monitoring and improvement tool to identify and fix vulnerabilities earlier and deliver more secure software faster. – Abdul Rahim, Release Automation Engineer at Payara Services.
Ultimately, thanks to DevSecOps, companies can shift from purely reactive security strategies, whereby threats and other issues are resolved, to more proactive approaches that can resolve vulnerabilities before they are exploited. This means that applications, companies developing these solutions and end users are more robust and resilient.
The use of DevSecOps practices at Payara is playing a key role in helping the entire engineering team deliver high-quality code during rapid development cycles. Through a quality-centric, collaborative environment that leverages automation, the company successfully releases monthly software updates for its multiple platform versions to its enterprise customers. – James Hillyard, Infrastructure Engineer for IT Operations and DevOps at Payara Services
Complexity
Organizations must factor in compliance across numerous regulations and internal policies while at the same time anticipating new cyberattack techniques and challenges. Teams should work closely with compliance officers and security teams to ensure their applications meet their expectations before release.
Complexity has created a greater need for automation, but it’s also made building automation more difficult, especially if it’s an afterthought. There are now so many activities tied to DevOps automation. For example, there’s test automation, build automation and security automation. All these categories must be addressed when working to tame complexity. – Prashanth Nanjundappa, VP of Product Management at Progress
Securing Identities Across Different Systems
Securing identities across different systems has become a top priority for organizations, especially as credential stuffing attacks rise and leaked passwords flood the dark web.
As DevOps teams manage increasingly complex environments, it’s become critical to prioritize authentication methods like passkeys and multi-factor authentication (MFA) to prevent unauthorized access. This shift is driving the adoption of advanced security solutions that protect both the development pipeline and ensure resilient identity management against modern threats. – Rishi Bhargava, co-founder at Descope
More DevOps News