{"id":227209,"date":"2023-03-16T01:47:33","date_gmt":"2023-03-16T01:47:33","guid":{"rendered":"https:\/\/www.devsecops.ltd\/?p=227209"},"modified":"2023-03-16T01:47:52","modified_gmt":"2023-03-16T01:47:52","slug":"balancing-speed-vs-security-in-devsecops","status":"publish","type":"post","link":"https:\/\/www.devsecops.ltd\/balancing-speed-vs-security-in-devsecops\/","title":{"rendered":"Balancing Speed vs Security in DevSecOps"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">The technology world is highly competitive and constantly evolving. In this context, the speed of product releases is critical for organizations to measure success.\u00a0 There is always an urgent need for organizations to push products into production faster. Let us take the general case of ChatGPT, the AI chatbot by OpenAI that burst onto the scene in November 2022. No sooner did ChatGPT appear, companies were trying to create similar AI bots quickly. Speed was the critical aspect here but whether quality and security requirements were met is anybody\u2019s guess.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Such speed requirements put immense pressure on all teams involved such as the development team, operations team, and security team. In a DevSecOps environment, while many aspects of the SDLC can be sped up, security cannot be hurried since vulnerabilities and other threats constantly evolve and it is important to patch them up appropriately. Interestingly, in this age of digital speed, security might sound like an impediment but it is not and it is actually a necessity.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Some of the obstacles when trying to balance speed and security in DevSecOps are as follows:\u00a0<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Absence\u00a0 of automated workflow<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Lack of knowledge about application security tools and processes<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Unable to bridge the gap between software development and compliance<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">So, how should organizations go about balancing speed and security in DevSecOps environments? Here are a few suggestions that might help in overcoming the obstacles:\u00a0<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_67_1 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.devsecops.ltd\/balancing-speed-vs-security-in-devsecops\/#Adopting_security_practices_as_early_as_possible\" title=\"Adopting security practices as early as possible\">Adopting security practices as early as possible<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.devsecops.ltd\/balancing-speed-vs-security-in-devsecops\/#Automate_testing\" title=\"Automate testing\">Automate testing<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.devsecops.ltd\/balancing-speed-vs-security-in-devsecops\/#Maintaining_healthy_communication_between_all_the_three_teams\" title=\"Maintaining healthy communication between all the three teams\u00a0\">Maintaining healthy communication between all the three teams\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.devsecops.ltd\/balancing-speed-vs-security-in-devsecops\/#Customized_security_training_for_different_teams\" title=\"Customized security training for different teams\">Customized security training for different teams<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Adopting_security_practices_as_early_as_possible\"><\/span><span style=\"font-weight: 400;\">Adopting security practices as early as possible<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">While saying \u201cadopt security practices as early as possible\u201d might sound like a broken record, this practice will actually cut down on the time that might be spent later on when discovering vulnerabilities or critical security leaks. Adopting security practices early on will also cut down on financial losses that might be incurred, later on.\u00a0<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Automate_testing\"><\/span><span style=\"font-weight: 400;\">Automate testing<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">For DevSecOps processes to be faster and more efficient, it will be good to automate application security testing wherever possible. It will be good to use automated testing tools in the DevSecOps environment to speed up the process, reduce manual work and detect vulnerabilities early on.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Maintaining_healthy_communication_between_all_the_three_teams\"><\/span><span style=\"font-weight: 400;\">Maintaining healthy communication between all the three teams\u00a0<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Communication might be the most underrated skill in any business strategy but it is probably the most important one for any business to function effectively.\u00a0<\/span><span style=\"font-weight: 400;\">If the security team is perceived to be slow, the DevOps teams can always talk with the security team and adopt ways to speed up the entire process efficiently.\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Customized_security_training_for_different_teams\"><\/span><span style=\"font-weight: 400;\">Customized security training for different teams<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">If security is adopted at the very end of the development pipeline, it will slow the entire SDLC process if critical vulnerabilities are discovered. In order to balance speed and security in DevSecOps environments, it will be good to tailor security training for the different teams and enable them to adopt security practices in their environments. This will further lessen the burden on security teams and both speed and security will be achieved. <\/span><span style=\"font-weight: 400;\">We have seen some ways in which speed and security can be achieved in DevSecOps practices.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Do stay tuned for more posts on the DevSecOps domain!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For more information about our courses, do visit us at <\/span><a href=\"https:\/\/www.devsecops.ltd\/\"><b>Practical DevSecOps<\/b><\/a><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><b>References:<\/b><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/devops.com\/speed-and-security-how-to-find-a-balance-in-development\/\"><span style=\"font-weight: 400;\">https:\/\/devops.com\/speed-and-security-how-to-find-a-balance-in-development\/<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/newtglobal.com\/devsecops-the-speed-vs-security-tradeoff\/\"><span style=\"font-weight: 400;\">https:\/\/newtglobal.com\/devsecops-the-speed-vs-security-tradeoff\/<\/span><\/a><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">https:\/\/www.itmethods.com\/wp-content\/uploads\/2019\/10\/devsecops_speed_and_security_together_at_last.pdf<\/span><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>The technology world is highly competitive and constantly evolving. In this context, the speed of product releases is critical for organizations to measure success.\u00a0 There is always an urgent need for organizations to push products into production faster. Let us take the general case of ChatGPT, the AI chatbot by OpenAI that burst onto the [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":227210,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/227209"}],"collection":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/comments?post=227209"}],"version-history":[{"count":0,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/posts\/227209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media\/227210"}],"wp:attachment":[{"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/media?parent=227209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/categories?post=227209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devsecops.ltd\/wp-json\/wp\/v2\/tags?post=227209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}