Goodbye DevSecOps, Hello DevLess Security

November 22, 2023

Over the past few months, we have all witnessed first hand the seismic shifts of AI that have rocked the software development and IT industry as a whole. And while the world is enthralled by OpenAI, Co-Pilot and AutoGPT among other, a new door has unlocked that revolutionizes how we perceive and implement application security. A world where everyone is empowered to secure their applications, regardless of their coding skills. A world where developers are no longer the sole bearers of the application security burden. A **DevLess (developer-less) Security** world.

History of Code-level Security and Static Analysis

Let's jump into our time machine and travel back to the dawn of the digital age. Security, even then, was a cornerstone of technology. With the emergence of intricate codebases and modern programming languages, the specter of vulnerabilities loomed large.

Static analyzers and code review tools emerged shortly after. Notable among them was the community-led initiative of SonarQube in 2006-7, a tool that revolutionized code-level security by examining code for potential flaws and threats before they infested our software systems. Gone were the days of manually scanning code line by line - a gargantuan task for developers who were eager to build, innovate and create. Over the years other commercial (e.g. Coverity, Fortify) and open-source (e.g. Semgrep, CodeQL) tools joined the fray, each with their own unique approach to code-level security.

The Rise of DevSecOps

Fast forward to 2015. DevOps is gaining steam, and digital risks are multiplying. The need for a proactive approach to security is growning by the day. Enter DevSecOps and Shift-Left, philosophies where security wasn't a solitary guard by the gate but a team effort.

Developers found themselves cast in leading roles as they were pushed front and center of application security. Why? Well, the prevalent notion was that our security and operations teams, although skilled in their domains, lacked the coding prowess needed to handle this colossal task. Software needed to be secure by design, and the earlier the issue was found and fixed - the better the outcome. The baton of securing applications, therefore, landed squarely in the developer's lap. Policies were configured, code-review and static analysis tools were integrated, and the journey began.

Limitations of DevSecOps

DevSecOps, despite its ambitious vision, had a few thorns along its path. While a well-intentioned and necessary stepping stone in our journey, it under-estimated developer workloads and priorities while over-estimating their ability (and willingness) to secure applications. These issues manifested in the following ways:

  • Workflow Disruption: Security tasks acted as speed bumps in the developer's creative journey, interrupting their flow of coding.
  • Lack of Incentives: Securing applications wasn't a task developers were traditionally rewarded for, leading to a disconnection between effort and gratification.
  • Dwindling Creativity: Developers, who are fundamentally creators, found security patching to be mundane and less creative, dulling their zest for innovation.

The Future: DevLess Security

Large Language Models (LLMs) and Code-Generation AI, despite their limitations, find a sweet spot in routine tasks that are well-structured, repetitive and have some degree of fault-tolerance and/or human supervision. Security patching fits the bill perfectly. This innovation heralds the dawn of developer-less security.

At Patched, we seamlessly integrate with existing code review tools and static analyzers, automatically spotting and fixing code-level issues. This allows security and risk teams to patch code, even with minimal coding skills. It's akin to executives querying vast data for business insights, with no requirement to be data scientists. And all of this is just a start.

That said, developer-less security isn't about sidelining developers. Instead, it's about reducing their involvement in routine security tasks. At Patched, we create fully-vetted Pull Requests (PRs) with the identified fixes, handing back the reins to developers for the final review. Our patches go through rigourous manual and automated checks before they are shared with your developer teams - eliminating all the hallucinations, biases and logical errors made by AI-only approaches. This harmonious balance ensures sturdy security without impeding your developement team's creative process.

So what does this all mean? In our experience, it means you fix 2.4x as many issues, in 1/6th the time, while cutting the total developer effort required in half. But perhaps more importantly, it means your development team can focus on what matters most - building and innovating.

The Journey Ahead

As we venture forth, remember that DevLess Security is about enabling and optimizing, not about eradicating. It's about sharing not just the responsibility of security, but also the effort - making it less of a burden and more of a collaboration.

Tools like Patched will play an instrumental role in this transition, making automatic patching, integrated code review, and efficient utilization of static analyzers an industry standard. As we embrace this new paradigm, the journey ahead is bright, promising, and less reliant on developers for routine tasks. The next chapter of application security is just beginning - are you ready to be part of the story?

Stop Scanning. Start Patching.
Patched increases your security coverage, not your workload.
Get Patched