What Does Self-Service Security Do for AppSec?

  • DevOps teams with high levels of security integration are more than twice as likely to use self-service security and compliance validation
  • Only 25% of orgs with low security integration can remediate security vulnerabilities in one day

As organizations mature their DevSecOps practices, one of the key success factors bubbling up over all others is that self-service tooling is at the crux of effectively folding security into the development pipeline. The more self-service options and more mature the approach for delivering them to the DevOps cadre, the faster and more effective they are at fixing vulnerabilities and securely developing applications.

This was one of the major security takeaways from the 2020 State of DevOps report recently released by Puppet Labs, which found that:

The self-service offering of security and compliance validation is positively related to level of security integration. Those with full security integration are over twice as likely as those with no security integration to offer security and compliance validation as a self-service capability.

And security integration, the study explained, is the secret sauce for swiftly fixing security flaws in software. Among DevSec organizations with low security integration, just 25% can remediate vulnerabilities within a day. Meantime, among those with the highest level of security integration—with security checks included during requirements, design, building, testing, and deployment—45% can fix their flaws in 24 hours.

As the report detailed, integrating security across all five stages “is more than just shifting security checks to the left.” These organizations have fundamentally rethought their approach to how security staff interacts with DevOps teams, and how tools and validation are utilized. Fundamental to this rethink is the delivery of self-service tooling to DevOps teams. Organizations with the highest levels of integration are more than twice as likely to offer self-service security and compliance validation than those with low levels of security integration.

These offerings are often part of a broader push by high-maturity DevOps programs to provide a full range of operational self-service capabilities to developers through an internal platform approach. Internal platforms are often developed by a platform team that tends to the care and feeding of infrastructure, environments, deployment pipelines, and internal services that provide dev teams with what they need to build, deploy, and run their applications. The report found a strong tie between DevOps maturity and the use of internal platforms. The most mature firms were twice as likely as mid-level organizations to rely heavily on internal platforms, and six times more likely to lean on them than low-maturity orgs.

A key component of these platforms is self-service functionality.

“The platform team provides an interface between the underlying infrastructure and tooling and the teams consuming those services, enabling application teams to focus on building their products instead of nitty-gritty implementation or operational details,” the report explains. “Self-service enables developers to work at their own pace without having to make requests and wait for fulfillment.”

Whether the services offered are for security or other functions, the report authors recommend that organizations remember that platforms are not one-and-done projects.

“Once you’ve assembled a platform team, commit to keeping it in place so they can continue to develop and improve the platform, meeting new organizational needs as they arise,” the report says.