What Is DevSecOps And Why Does It Matter In The Age Of AI?
Interest in DevSecOps has surged in recent years — but many people probably don’t know what it is, or why it has become especially important for tech companies in the age of AI.
When building software, someone has to make sure it doesn’t contain bugs that can later be exploited by bad actors. Today’s AI code generation tools can produce vast amounts of code quickly, but often with many hidden vulnerabilities. Adopting DevSecOps helps tech companies mitigate these risks, but it’s a relatively new approach.
Twenty years ago, most companies deployed their code using three teams: development (writing code), operations (deployment) and security, which usually reviewed the code for vulnerabilities just before shipping. Security was often a reactive step occurring late in the process.
Development and operations eventually merged into DevOps, and in recent years, it became clear that security should be as close to the development process as possible, not an afterthought. DevSecOps was born. A number of changes have made it especially important for tech teams to adopt a robust DevSecOps strategy.
AI-generated code has intensified security needs
With today’s generative AI tools, five developers can generate the work of 20 people. However, automation for code security has not kept pace, creating huge gaps in security compliance. Human reviewers simply can’t deal with the surge in volume.
Studies on AI-generated code found that almost half the code had bugs that could lead to harmful exploitation. Every company today needs to be using automated code security tools — namely static application security testing, or SAST, software — so the code they’re rapidly shipping out doesn’t shoot them in the foot tomorrow.
Developers are relying more on open source
Software developers have been integrating much more open-source code into their projects in recent years, meaning they depend on code that’s been developed externally and repeatedly modified by individual contributors. Each open-source “package” uses an entire chain of third-party code: The average open-source JavaScript package relies on 377 third-party packages, and up to 90% of applications’ code is estimated to be open-sourced.
Developers have far less control over the quality and security of these “dependencies.” Real-life examples of this happening include Log4j, a widely used open-source program that had a serious security flaw allowing hackers to take control of devices that used it.
DevSecOps tools such as Software Composition Analysis, or SCA, analyze those open-source components of a codebase for any security vulnerabilities. Because they can do so rapidly and at scale, they can better insulate security-conscious teams.
Software releases have become more frequent
While a few years ago, traditional development cycles allowed time for manual security reviews (releases happened every few weeks), software releases now get deployed every few hours. Faster deployments risk creating a “security debt” that compounds with each release.
It’s particularly important for automated tools to step in to secure that continuous deployment, or the security debt could lead to vulnerability proliferation, as each undetected flaw becomes the foundation for dozens of dependent features.
Even smaller startups are being asked to meet security standards
While larger companies typically have DevSecOps capabilities, smaller startups have often focused on product development over security. But nowadays, enterprises purchasing B2B SaaS are compelling those providers to obtain SOC2 Type 2 compliance, which demands a holistic security program.
That can’t be done without a robust code security strategy and tooling in place.
Code security has always been an important part of software development, but recent trends have shifted security closer to the active software development process, and therefore increased the need for fast and efficient security tools.
Sanket Saurav is the co-founder and CEO of DeepSource, a company with a mission to help developers write secure code with static analysis and AI.
Illustration: Dom Guzman
