Blogs
Published on
April 24, 2022

Now is not the time for DevSecOps. Or is it?

5
min read
Now is not the time for DevSecOps. Or is it?

Now is not the time for DevSecOps. Or is it?

There are two things that unite all organisations that want to adopt DevSecOps but have not. First, they really want to do it. Second, they cannot find the time to do it. Between sprints and scrums, releases and refactors, features and fixes - it seems almost impossible to make time for a paradigm shift like DevSecOps.

The cheeky answer to "when to adopt DevSecOps" would be ‘now’ - especially since our business relies on it. However when it comes to security, doing it right is more important than doing it right now. So how does one objectively define ‘when’ is a good time to start the DevSecOps journey? At Scantist, we applied the all-too-popular risk analysis framework to reduce the predicament to a conditional check, where:

Probability of Incident x Cost of Incident > Cost of DevSecOps Adoption

Probability of Incident

There are multiple ways to evaluate the probability of your organisation facing an application security-related incident. One is a macro approach - organisations have a 27.7% chance of experiencing a data breach in a given year and about 43% of those are application related. That gives us an industry average of about 12%. Another approach could be based on the lines of code - with an industry average defect rate of 15-50 per 1000 lines of code and 1% of those defects being exploitable vulnerabilities, you can quickly assess the probability based on your application’s complexity.

Cost of Incident

Cost of a cyber-incident can vary greatly depending on the type and size of the organisation, the jurisdiction it operates in and the type of incident itself. IBM and Ponemon Institute put the cost of data breach at about $3.86 million globally, or about $2.71 million in ASEAN - with an estimated sticker price of $150 per personally identifiable record lost. In Singapore, an organisation can be fined as much as 10% of its annual revenue for a breach. Your individual estimation may lead to a different number, but this is an exercise we recommend every organization to undertake. The simple process of self-quantifying a potential breach in terms of business losses provides the right frame of reference needed to make security related decisions.

Cost of DevSecOps Adoption

Organisations - big or small - greatly overestimate the cost and effort associated with adopting DevSecOps. Budgets are often cited as a common hurdle, and the US DoD’s Defense Innovation Board even has a 10-page whitepaper to justify budgeting for DevSecOps.

The two major cost components are tools and manpower. Open-source tools from OWASP are maturing everyday, and a growing number of application security vendors offer a freemium tier (including Scantist!) - so the cost of tooling can be as little as zero. Manpower costs vary by organisation, but in our experience setting aside about 10 work-days for each of your developers in the first year of implementation is a good start.

Pulling the Trigger

The above is an attempt at objectively evaluating if now is the time for your organization to adopt DevSecOps. Each organization’s situation and priorities are different, but we hope this aids your decision making process by providing the relevant context and industry data points.

If you think you are ready for DevSecOps but unsure where and how to start, reach out to us for a free consultation.

Related Blogs

Find out how we’ve helped organisations like you

Cybersecurity Innovation Day 2024 – Scantist’s Innovation of Supply Chain Security with AI Technology

Scantist commemorated the Cybersecurity Innovation Day 2024 on Monday, as one of the Singapore’s most vibrant cybersecurity community event held with regard to Cyber Security Organized by the Cyber Security Agency of Singapore (CSA) and the CyberSG TIG Collaboration Centre.

🌟 Celebrating the Success of NTU Cyber Security Day 2024! 🌟

We are excited to celebrate the successful completion of the 2024 NTU Cyber Security Day!

The Urgent Need for Vigilance in the Software Supply Chain

In an era where digital infrastructure underpins nearly every aspect of our lives, from banking, automotive to healthcare, the integrity of our software supply chain has never been more critical. Recent data from cybersecurity experts paints a stark picture: software supply chain attacks are occurring at an alarming rate of one every two days in 2024. This surge in attacks, targeting U.S. companies and IT providers most frequently, poses a severe threat to national security and economic stability.