There are two things that unite all organisations that want to adopt DevSecOps but have not. First, they really want to do it. Second, they cannot find the time to do it. Between sprints and scrums, releases and refactors, features and fixes - it seems almost impossible to make time for a paradigm shift like DevSecOps.
The cheeky answer to "when to adopt DevSecOps" would be ‘now’ - especially since our business relies on it. However when it comes to security, doing it right is more important than doing it right now. So how does one objectively define ‘when’ is a good time to start the DevSecOps journey? At Scantist, we applied the all-too-popular risk analysis framework to reduce the predicament to a conditional check, where:
Probability of Incident x Cost of Incident > Cost of DevSecOps Adoption
There are multiple ways to evaluate the probability of your organisation facing an application security-related incident. One is a macro approach - organisations have a 27.7% chance of experiencing a data breach in a given year and about 43% of those are application related. That gives us an industry average of about 12%. Another approach could be based on the lines of code - with an industry average defect rate of 15-50 per 1000 lines of code and 1% of those defects being exploitable vulnerabilities, you can quickly assess the probability based on your application’s complexity.
Cost of a cyber-incident can vary greatly depending on the type and size of the organisation, the jurisdiction it operates in and the type of incident itself. IBM and Ponemon Institute put the cost of data breach at about $3.86 million globally, or about $2.71 million in ASEAN - with an estimated sticker price of $150 per personally identifiable record lost. In Singapore, an organisation can be fined as much as 10% of its annual revenue for a breach. Your individual estimation may lead to a different number, but this is an exercise we recommend every organization to undertake. The simple process of self-quantifying a potential breach in terms of business losses provides the right frame of reference needed to make security related decisions.
Organisations - big or small - greatly overestimate the cost and effort associated with adopting DevSecOps. Budgets are often cited as a common hurdle, and the US DoD’s Defense Innovation Board even has a 10-page whitepaper to justify budgeting for DevSecOps.
The two major cost components are tools and manpower. Open-source tools from OWASP are maturing everyday, and a growing number of application security vendors offer a freemium tier (including Scantist!) - so the cost of tooling can be as little as zero. Manpower costs vary by organisation, but in our experience setting aside about 10 work-days for each of your developers in the first year of implementation is a good start.
The above is an attempt at objectively evaluating if now is the time for your organization to adopt DevSecOps. Each organization’s situation and priorities are different, but we hope this aids your decision making process by providing the relevant context and industry data points.
If you think you are ready for DevSecOps, reach out to us and we’d love to help you with your journey!