附近上门

By

Interest in DevSecOps has surged in recent years 鈥� but many people probably don鈥檛 know what it is, or why it has become especially important for tech companies in the age of AI.

When building software, someone has to make sure it doesn鈥檛 contain bugs that can later be exploited by bad actors. Today鈥檚 AI code generation tools can produce vast amounts of code quickly, but often with many hidden vulnerabilities. Adopting DevSecOps helps tech companies mitigate these risks, but it鈥檚 a relatively new approach.

Twenty years ago, most companies deployed their code using three teams: development (writing code), operations (deployment) and security, which usually reviewed the code for vulnerabilities just before shipping. Security was often a reactive step occurring late in the process.

Development and operations eventually merged into DevOps, and in recent years, it became clear that security should be as close to the development process as possible, not an afterthought. DevSecOps was born. A number of changes have made it especially important for tech teams to adopt a robust DevSecOps strategy.

AI-generated code has intensified security needs

With today鈥檚 generative AI tools, five developers can generate the work of 20 people. However, automation for code security has not kept pace, creating huge gaps in security compliance. Human reviewers simply can鈥檛 deal with the surge in volume.

found that almost half the code had bugs that could lead to harmful exploitation. Every company today needs to be using automated code security tools 鈥� namely static application security testing, or SAST, software 鈥� so the code they鈥檙e rapidly shipping out doesn鈥檛 shoot them in the foot tomorrow.

Developers are relying more on open source

Software developers have been integrating much more open-source code into their projects in recent years, meaning they depend on code that鈥檚 been developed externally and repeatedly modified by individual contributors. Each open-source 鈥減ackage鈥� uses an entire chain of third-party code: The average open-source JavaScript package relies on , and up to is estimated to be open-sourced.

Developers have far less control over the quality and security of these 鈥渄ependencies.鈥� Real-life examples of this happening include , a widely used open-source program that had a serious security flaw allowing hackers to take control of devices that used it.

DevSecOps tools such as Software Composition Analysis, or SCA, analyze those open-source components of a codebase for any security vulnerabilities. Because they can do so rapidly and at scale, they can better insulate security-conscious teams.

Software releases have become more frequent

While a few years ago, traditional development cycles allowed time for manual security reviews聽 (releases happened every few weeks), software releases now get deployed every few hours. Faster deployments risk creating a 鈥渟ecurity debt鈥� that compounds with each release.

It鈥檚 particularly important for automated tools to step in to secure that continuous deployment, or the security debt could lead to vulnerability proliferation, as each undetected flaw becomes the foundation for dozens of dependent features.

Even smaller startups are being asked to meet security standards

While larger companies typically have DevSecOps capabilities, smaller startups have often focused on product development over security. But nowadays, enterprises purchasing B2B SaaS are compelling those providers to obtain SOC2 Type 2 compliance, which demands a holistic security program.

That can鈥檛 be done without a robust code security strategy and tooling in place.

Code security has always been an important part of software development, but recent trends have shifted security closer to the active software development process, and therefore increased the need for fast and efficient security tools.

is the co-founder and CEO of , a company with a mission to help developers write secure code with static analysis and AI.

Illustration: