The “shift left” that brings security into development
In the software development world, the pace of change is rapid – and cybersecurity is no exception. As developers begin to embed security in their everyday workflows, conversations around application security are changing. DevSecOps, or the combination of software development, operations and security, reflects this shift to the left or earlier in the supply chain and entails securing code in the development and runtime environment.
During the 2021 KeyBanc Capital Markets (KBCM) Emerging Technology Summit, KBCM Enterprise Software Analyst Michael Turits moderated a panel of experts in the security and software development space: Peter McKay, CEO of Snyk; Alan Naumann, CEO of Contrast Security; Corey Thomas, CEO of Rapid7; and Chris Wysopal, Founder & CTO of Veracode. Despite their different approaches and niches, all of these cybersecurity leaders agree that the space is undergoing a radical transformation.
The evolution from application security to DevSecOps
Where DevOps historically referred to writing code and provisioning infrastructure and compute resources, DevSecOps reflects the integration of security into the middle of this process – an update that Naumann says is the only way to solve new challenges in the cybersecurity space. Thomas emphasizes that in order to build technology with the speed and efficiency that today’s marketplace demands, developers need the right combination of infrastructure and resources at their disposal. “We all have to figure out how to drive the pace of innovation in the most secure way, and that’s actually wreaking havoc on the old order of how people previously built and secured technology.”
DevSecOps also reflects an evolution in the organizational structure of tech companies. “Fifteen years ago, when I started Veracode, application security wasn’t the development team’s problem,” recalls Wysopal. “They didn’t know about it, didn’t want to do anything about it; it was the security team’s problem.” Operations and quality responsibilities were also siloed within separate teams. But with the shift to agile and DevOps, the same team writes, tests, operates, and secures code – a much more efficient approach to building reliable, secure software.
McKay likens the “shift left” to quality control. “You wouldn’t wait until you were about to go into production to test for a quality issue; you build it into the process, so you’re not waiting until the last minute to fix a vulnerability or a flaw in the application.” In the era of the cloud, development organizations must be creative and agile. Where older security tools hinder developers’ ability to move quickly, building security into the software development life cycle can help reduce or even eliminate those bottlenecks.
Accelerating development while enhancing security
Given the constant pressure to speed up development and getting to market, tech companies must maintain a fast pace without compromising security. Wysopal points out that the sooner DevSecOps teams identify a vulnerability, the more immediately they can fix it, and the more efficient the whole process becomes.
Naumann notes that in many cases, the challenge of balancing speed and security is a problem of scale. Currently, there are 30 or 40 million software developers working in the U.S., and that number is expected to grow to 60 or 80 million. A single large enterprise firm may employ 40,000 developers but only 100 professionals focused on application security. By integrating code instrumentation and sensors throughout the open source, custom code, authentication, and infrastructure, developers can identify vulnerabilities and areas where the potential for exploitation exists. This data flow provides powerful visibility into which issues are most critical and how to resolve them.
Prioritization is an “age-old” challenge for application security, agrees McKay. Identifying problems is the clear first step, but determining which to address first, second, third, and so on is critical. Fortunately, as machine learning and artificial intelligence become more sophisticated, auto-remediation can play an important role in driving efficiency. After developers have fixed the same type of issue 10 or 20 times, automation can start to handle some of those same fixes, creating a more efficient development process.
Predictions for a rapidly changing cybersecurity landscape
Thomas foresees two fundamental changes in the structure of the cybersecurity industry. The first is an increase in emphasis on the developer, and the second is a faster, more decentralized tech environment requiring stronger IT and security operations. Companies need security operation centers that cater to a dynamic environment, with a focus on monitoring, change management, automation, and more – while also providing an agile development infrastructure. As the cloud drives innovation at a faster pace, tech firms need to minimize friction between different departments in order to deliver the infrastructure and services developers require in the most secure way possible.
Naumann agrees that the unique challenge of “serving two masters” (developers and security professionals) in a way that supports both parties is a complex problem that multiple industry behemoths are actively trying to solve. Companies with a deep understanding of both development and security have a built-in advantage, but it remains to be seen who will emerge as leaders in the space. “Investors know that in cybersecurity, David can beat Goliath: the small company with a different platform, technical approach, point of integration, or point of view can tackle big, established players.”
In the competition between traditional development companies and traditional operational security companies, Wysopal believes the development side of the industry is positioned for greater success: “I think a lot of operation security shifts left, and people who know how to work with developers have an advantage. Application security companies that are developer-focused also have an advantage, and we’re closer to where the problem is going to be solved than the old firewall companies coming into the space.”
McKay adds that cloud companies, which offer massive development environments, also have a stake in the future of cybersecurity – especially given that security is a primary obstacle to moving applications to the cloud. But security, compliance, and privacy as components of developer productivity will be the focus moving forward. Security providers accustomed to selling security tools to security people will struggle unless they can adopt a more developer-centric approach.
The cybersecurity landscape is a highly dynamic component of the tech sector, and the shift left to a DevSecOps approach reflects a key element of the transformation taking place in the industry. From cloud-driven innovation, to advances in AI and machine learning, to greater integration between developers, operations, and security teams, this space is evolving rapidly. So are the opportunities for companies with solutions that address these complex challenges.
The KeyBanc Capital Markets Technology group helps emerging technology companies compete in a rapidly changing world with in-depth events and seminars, actionable insights and market research, and access to capital. For more information on KBCM equity conferences and to be considered for an upcoming conference, connect with Corporate Access.
About the 2021 Emerging Technology Summit
After a tumultuous 2020 in which technology outperformed during a year of multiple crises – health, economic and social – the virtual Summit focused on what's next for the sector. We brought together investors, executives and founders from top private and public companies, and industry thought leaders to discuss the role and opportunities for technology as we progress toward the "new" normal. Attendees included 650+ institutional investors, 450 private equity/venture capital corporate development investors, 125+ private companies, and 30 public companies for 67 Fireside Chats/Presentations, 10 panels, and 3 Keynotes.