If the pandemic has taught the higher education IT sector anything, it’s that future proofing security approaches is vital for business continuity in the new risk landscape. To limit exposure to cyber-risks, colleges and universities are turning to zero trust, automation and — at a foundational level — DevSecOps, which weaves security into organizational culture and the development process.
That’s the philosophy behind DevSecOps, which stands for development, security and operations. DevSecOps is an extension of the DevOps approach to software development. It incorporates automation by integrating security into all phases of the software development cycle.
While DevOps has matured into a modern practice over the past two decades, DevSecOps is a more recent evolution that reflects current practices in security management, with a focus on faster response and continuous testing.
Here is a look at how higher education security strategies can benefit from DevSecOps, as well as the potential challenges of adoption.
What Is the DevSecOps Methodology?
As early as 2019, EDUCAUSE identified DevSecOps as one of the top 10 strategic technologies to watch for in higher education. “It requires close collaboration between software engineers and security teams,” the authors wrote in the report.
A phrase that is often used to describe DevSecOps is “shifting left,” which means that quality assurance and security testing should happen much earlier in the development process. The term refers to the conventional “waterfall” style of software development, a visual that conveys the phases of development — such as feasibility, planning and designing — occurring one after another in a downward sequence that moves to the right on a timeline.
MORE ON EDTECH: What's the difference between agile and DevOps?
The Benefits of DevSecOps for Higher Ed
When it comes to benefits for higher education IT teams, consider what DevSecOps can help you avoid during the software development process.
In a 2015 blog post, Donald Firesmith, a researcher at the Carnegie Mellon Software Engineering Institute, noted that IT teams put themselves at risk for unnecessary vulnerabilities during the security testing phase of traditional waterfall-style development.
Because the conventional approach involves testing later in the process, it often leads to software debugging challenges near the program’s completion. With less time to fix defects, this method limits the opportunities for in-house developers to catch the bugs.
“For decades, it has been well known that defects are more difficult and expensive to fix the later they are found in the lifecycle,” Firesmith wrote. “This phenomena is one reason why treating testing as a sequential phase at the end of waterfall development has long been viewed as a major pitfall of system and software testing.”
Especially in the current security climate, there are strong incentives to build with security in mind at the beginning of the process.
In an interview with cybersecurity ratings company BitSight, CISO Alex Campoe of the University of South Florida explained that DevSecOps “enables the front-end folks, the developers, to do the things they need to do without having to … wait for security to look through their code to make sure that things are okay.”
When asked what USF is doing to future proof security approaches, he said, “DevSecOps … it’s inevitable.”
COMPLIMENTARY WHITE PAPER: Learn how DevOps is revolutionizing IT.
DevSecOps vs. DevOps: What’s the Difference?
DevSecOps and DevOps are closely related, with the continuous integration/continuous delivery (CI/CD) pipeline connected to both processes, but they diverge in significant ways when incorporating security.
According to Google Cloud Solutions Architect Drew Stevens and Enterprise Modernization Architect Mike Ensor, the shift-left approach has equivalents elsewhere in the DevOps cycle, but it carries special significance in a security context: “DevOps methodologies encourage development, quality and operations teams to collaborate on testing code and deployment mechanisms as early in the cycle as possible. DevSecOps applies the same principle of shifting left by incorporating security testing and vulnerability detection into the development life cycle rather than waiting to audit after development and testing have concluded.”
There are other benefits to this additional velocity from a security standpoint. As noted in the IBM Cloud Learn Hub, the rapid pace at which security vulnerabilities are often exposed means that the additional speed of a DevSecOps approach comes in handy in terms of patching and testing for these issues: “As DevSecOps integrates vulnerability scanning and patching into the release cycle, the ability to identify and patch common vulnerabilities and exposures (CVE) is diminished. This limits the window a threat actor has to take advantage of vulnerabilities in public-facing production systems.”
How Colleges Can Adapt to Incorporate DevSecOps
The good news about DevSecOps is that it can improve security for the long haul. The bad news is that IT teams usually encounter difficulties during implementation.
Just like DevOps, DevSecOps requires significant cultural changes that must be considered during the building process. But there is a shortage of experts who fully understand DevSecOps, because IT operations and developer training programs rarely offer courses that cover this approach. (For universities and colleges looking to differentiate themselves, adding DevSecOps courses could potentially be a lucrative way to attract students who want to study the methodology.)
With this in mind, hiring a partner, such as CDW Amplified™ Services, that specializes in DevSecOps is an effective approach to catching security issues before they snowball into disasters.