December 14, 2017 By Rick M Robinson 2 min read

In the beginning was the waterfall, a rigid, sequential model of software development based on the earlier heritage of manufacturing design and development. It took decades for waterfall development approaches to give way to the need for agility. That brought about the shift to DevOps, combining software development and operations into one ongoing process.

But even agility and DevOps soon ran into a problem. As in waterfall development, security tended to be bolted on as an afterthought, increasing development costs and, worse, introducing vulnerabilities.

Now a new philosophy, SecDevOps, is placing security at the forefront of the DevOps process. The fundamental principle behind SecDevOps is that security cannot be bolted on as an afterthought. It needs to be integral to both the development and operations cycles. When it is, software can be built with greater agility, delivered more rapidly and, most importantly, safer and more secure.

The Inflexible Waterfall Model

Although the term “waterfall” was first used to describe development in the 1970s, what is now called waterfall development dates back to the 1950s and the first generation of large software development projects.

According to Infosec Island, the waterfall model made development preplanned, sequential and sluggish. It was rooted in prior experience of manufacturing development projects. In those projects, such as the construction of aircraft, late-term changes in design were enormously expensive due to heavy investment in prototypes and production facilities. Hence the sequential process in which designs were approved before development began.

The waterfall model did not handle security very flexibly. But it hung on for decades because it was the only known way to approach large-scale engineering development, and it did help limit the number of costly late fixes.

The Agility Challenge

By the turn of the century, patience with the sluggish pace of waterfall development had run out and agility became the new watchword. Software programs, after all, are not designed or built like airplanes, with no metal bending involved and no inherent gulf between design and operations.

The demand for agility gave us DevOps. But when it came to security, the tendency to bolt on afterwards persisted. This ongoing problem provided the push and inspiration for SecDevOps, which has the goal of making security design as proactive as development and operations were supposed to be.

Embracing Built-In Security With SecDevOps

As a philosophy, SecDevOps comes with its own technological demands on security designers. Security deployments, like all deployments, must be continuous. Automated security testing is a necessity. Some specific key tests may still need to be manual, but most should be automated to keep up with the overall DevOps pace.

But the central SecDevOps principle is not new. Security embraces every aspect of software design and operation. Trying to bolt it on at the end is a sure way to guarantee a succession of complicated, costly and, ultimately, unreliable late fixes.

Conversely, the more fully security is integrated into the daily workflow of the DevOps team, the more thoroughly security will be built into the project from the outset. When you design for simplicity and robustness, security becomes a natural output, not a belated addition held in place by duct tape and wishful thinking.

Watch the on-demand webinar: How to Integrate AppSec Testing into your DevOps Program

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today