Top 10 DevSecOps Challenges #3: Doing DevSecOps without constant CI/CD changes

  • Share on Twitter
  • Share on LinkedIn
  • Share on Instagram

Better collaboration between teams, faster time to market, improved overall productivity and enhanced customer satisfaction are just some of the benefits you can reap from successful DevSecOps. 

However, it’s not just a matter of wrapping a few security tool APIs into your favourite CI tool and calling it a day. DevSecOps programs and tooling grow and mature, as new tools are added, teams come onboard and processes update. You don’t want to clog up and confuse your CI/CD pipelines with constant changes to accommodate DevSecOps.  

There’s no ‘one-size-fits-all’ process for DevSecOps and we recognise every company will be at different stages. Here are some essential considerations to start with.

  • Make security part of the software development workflow
  • Automation, automation, automation
  • Finding your balance with automated security 

Make security part of the software development workflow

DevSecOps unites developers and security professionals, cultivating an environment of collaboration. But it’s hard to ignore that a certain level of friction has always existed. 

Besides time, there are lots of things that naturally place pressure on the CI/CD pipeline when it comes to security:

  • Hooking in all the relevant security tools (APIs, docker, CLIs, etc)
  • Collecting, understanding and processing the results from all of these tools so you don’t just throw every vulnerability back to the development team
  • Prioritising which security issues to report on and which are not important 
  • Communicating issues where they’re needed through channels like Slack, Jira, and others
  • Making any automated go/no-go decisions based on the security results. Are there big issues that need to be fixed before deployment? 
  • Handling tool extensions and keeping new versions up to date 
  • Recording security metrics to tell the full pipeline story

In one corner you have the development team and in the other, security. Both sometimes think what the other team does creates nothing but work for each other. This perspective results in both teams working in silos, which defeats the main principle of DevSecOps. 

Making security part of the workflow simply starts with a mindset change, which is easier said than done. DevOps teams spend their time improving and refining their pipelines based on the needs of the teams around them. Now, with DevSecOps, security teams are joining the party with requirements that aren’t as straightforward.

Security controls and tests need to be embedded early and often in the development lifecycle. With organisations potentially pushing new versions of code into production 60+ times per day, automated security is the answer.

If you’re with the notion that increased security slows things down and creates a barrier to innovation, we’re here to dispel that. We understand your reluctance, but it’s just not the case when you have automation on your side paired with a platform that eases the job of adding DevSecOps to the CI/CD pipeline.

Automation, automation, automation

It’s not news to anybody that automation is a key characteristic in DevSecOps. For security to keep pace with code delivery in a CI/CD environment, automation of security is a given. 

Organisations, where developers push code to production multiple times a day, will feel this more than anybody. Rapid and secure code delivery may sound like an oxymoron to most businesses. But DevSecOps aspires to change that.  

Trying to run automated scans on your entire application source code each day can be time-consuming and hinder your ability to keep up with daily changes. So, before delving into a tool stack head first, tread carefully.

Teams responsible for application security can now use pioneering platforms to set the tool and test configuration as well as collect and consolidate reporting data to various other tools - all without changing the DevOps pipeline. This gives security maximum flexibility to make the changes they need to, without needing permissions for DevOps.

For added simplicity, we can use the Uleska Platform as an example for ease. The short API logic Uleska uses to run security testing is consistent for every project. This means regardless of the project logic or the CI/CD system being used, the same template can be used. Not only does it ease the job of adding DevSecOps to the CI/CD pipeline but it makes it quicker and easier for security changes to be made since they’re configured outside the main CI/CD logic.

Finding your balance with automated security 

Doing DevSecOps right is a fine balance. If it’s approached as a simple automation task, it’s likely to result in clunky connections to an ever growing list of security tools, as well as large lists of security issues being thrown back at developers - and more delays to code being released. As if everybody didn’t already have enough on their plate?

DevSecOps processes in many companies are immature, but maturing. This means the tech, tools and processes are continually evolving as improvements are being made.  

However, if this logic is based within the CI/CD pipeline, this results in continual requests to update the pipeline logic. Given there are already lots of pipeline requests and changes going on for other reasons, this means security has to compete for time, resources and capacity.

Although there’s a good case for saying the CI/CD pipeline isn’t the place to hold the logic or code to do DevSecOps, but if not there, where would it live? This is the reason the Uleska Platform has separated the setup and configuration of DevSecOps away from the core CI/CD pipeline, whilst still being driven by it.

At the heart of it all, security products need to integrate into the development pipeline and enable both the development and security team to work together instead of just throwing things over the fence to each other. 

Many of the tools required to insert security into agile DevOps are still emerging. As the methodology matures, you need a reliable platform that can scale with you, making it easy for you to adopt new tools, ways of working and to onboard new teams and applications.

Overcoming challenges to unify DevOps and security

Eliminating manual security tasks by hooking end-to-end security automation into your CI/CD sounds like no easy feat - and you’re right. There are many challenges that may crop up on your journey to releasing faster, more secure code. 

That’s why we’ve provided practical guidance for software security teams looking to save time when scanning and testing software - all without slowing down the delivery. Download your guide today to prepare for the security challenges your team might come up against.overcome the challenge of devsecops

Subscribe to the Uleska blog

You may unsubscribe at any time using the unsubscribe link in the newsletter.

Popular Articles
Visit the Blog
Managing Risk

Speed up Pipelines Using Automated Risk-Based Decisions

Last week we discussed how using risk-based decisions can help speed up pipelines. You can watch the webinar on demand and read a summary of the...


Can DevSecOps Tools Open Security Testing To Everyone?

At Uleska, we focus on moving security testing away from experts running manual tests and move it to automating security checks into existing...

Company News

Start your DevSecOps journey with the Uleska free plan

Companies are developing and shipping software faster than ever before. The very nature of DevOps means that developers can work in an always-on...


Top 10 DevSecOps Challenges #10: Communication

Adding automation to one part of a process can then flood another part of a process. With DevSecOps, we’re allowing more security tools to find more...


Top 10 DevSecOps Challenges #9: Security Metrics, Insights and Continuous Improvement

Many security departments and management teams want to improve their processes. DevSecOps introduces the ability for much more granular measurements...


AppSec ❤️ DevOps: Bridging the DevSecOps Disconnect

It’s a tale as old as time: developers want to ship an app but are lambasted with security requests, and security teams want to secure an app but are...

Managing Risk

Top 10 DevSecOps Challenges #8: Adding Risk Prioritisation to Your Pipeline Security

DevSecOps increases the number of issues found and the speed at which they’re to be dealt with. In reality, only a small number of issues will pose a...


Top 10 DevSecOps Challenges #7: Mapping security automation to how development works

All teams present in the app development process have pressures on them to get work done fast and efficiently.  With DevOps processes and CI/CD...


Top 10 DevSecOps Challenges #6: The all-important triaging of security issues

Security tools can be noisy. In 20 years, we haven’t seen a single security tool return a set of issues that are 100% what needs to be worked on....


Top 10 DevSecOps Challenges #5: Running too many security tools in CI/CD

DevSecOps involves setting up many different automated security tools to cover all bases. It’s not uncommon for organisations to run tons of security...


Top 10 DevSecOps Challenges #4: Using DevSecOps to reduce and focus issues raised

One of the biggest challenges when rolling out a DevSecOps process is the volume of issues it can bring to light. 


Top 10 DevSecOps Challenges #2: Fitting DevSecOps into CI/CD Pipelines

Put simply, the goal of CI/CD pipelines is automation and a key goal of DevSecOps is to alert someone to a problem as early in the automated-delivery...


Top 10 DevSecOps Challenges #1: How to approach DevSecOps security automation

DevSecOps encourages security tasks to be wrapped and enabled with software development and operations tasks. The aim is to make them as seamless as...

Company News

Introducing Uleska: The Future of DevSecOps Automation Tools

Few industries have seen such scrutiny and shifts in recent years as cybersecurity. In an increasingly connected world, speed and agility throughout...