Happy Appetite!Software is eating the world, or so say DevOps leaders such as Marc Andreessen, general partner at Andreessen Horowitz as most companies are becoming software companies as well as purveyors of their primary goods and services in order to be more competitive.Experts agree that DevOps is eating software, too. \u201cI believe that in five to 10 years DevOps practices will be mainstream. People will view DevOps as the correct way to do software development,\u201d says Tom Stiehm, CTO of Coveros. In that respect, says Stiehm, DevOps is eating software development.Secure coding practices should likewise envelope DevOps, sealing many of the holes that criminal hackers would otherwise exploit. As DevOps accelerates software development, foot-draggers will have a hard time holding that secure coding practices slow software delivery. If developers use DevOps\u2019 many ingress points to fix security vulnerabilities like they do to fix code, secure coding could swallow DevOps whole and become the norm across software development.[ MORE DEVOPS: CSO Survival Guide: Securing DevOps ]\u201cDevOps shifts the focus of development to producing the best possible outcome for the customers. The new focus includes a shared understanding that security is essential to establishing and maintaining customer trust,\u201d says Otto Berkes, CTO, CA Technologies and the first architect of Xbox at Microsoft.Gartner includes \u201cSecurity Testing for DevOps\u201d in its 2016 Top 10 Technologies for Information Security. CSO looks at the issues and why DevOps will increase secure coding practices.DevOps, the perfect environment for secure codingDevOps is a good opportunity to make secure coding the norm across software development if secure coding envelopes DevOps as DevOps envelopes software. \u201cImproved security is a core benefit of DevOps methodologies and is one of the reasons that DevOps is such a powerful movement. Customers expect to have a great software experience, and that has to include security as a basic ingredient,\u201d says Berkes.For many enterprises, DevOps automation techniques have hastened software development to a pace that has itself arrived (become possible) well ahead of schedule. It takes the video entertainment broadcasting behemoth Netflix, which the literature on DevOps regularly touts as a prime example a mere 16 minutes to translate Janitor Monkey, its cloud resiliency and maintenance service from code check-in to a full, multi-region (global) deployment, according to a recent company blog post. \u201cNetflix is the poster child for DevOps speed and agility, having pioneered the development approach for many industries,\u201d says Mike Kail, Co-Founder of Cybric and former CIO at Yahoo.High-performing IT organizations\u2014the ones that use DevOps development practices and methodologies\u2014deploy software 200 times more frequently than low performers, according to the 2016 State of DevOps Report. The sheer volume of software development that DevOps makes possible makes it uncannily intuitive to add secure coding practices without slowing deployments. \u201cThe move to CI\/CD as part of the agile development process leverages automation in what used to be a manual process, which adds incredible speed. Integrating security tools into that pipeline is now much easier than coordinating across multiple manual steps, involving multiple engineers,\u201d says Kail.With the extreme drought of cyber security engineers, which the industry expects to continue if not broaden, the automation that is native to DevOps is critical to increasing and enforcing secure coding practices, if the industry is going to do it at all, says Kail.DevOps overturns objections to secure codingObjections to instituting secure coding practices have included disagreement over the need for it and how to apply it as well as added costs, slowing development, and postponing release dates.When enterprises start to implement DevOps, they acquire a more holistic view of what goes into software delivery; they can then ask where the risks exist and how to mitigate those during development rather than later on, says Josh Atwell, co-author, DevOps for VMware Administrators.As DevOps grows in popularity, overshadowing other development methodologies due to its competitive and cost-saving advantages, the security industry should take opportunity, preparing to immediately inform and propel best practices in secure coding into the DevOps pipeline. \u201cDevOps, and the implementation of a functional framework, can permit security professionals to provide specific security functions to apply in the code and during testing,\u201d says Atwell.[ MORE ON CSO: Does DevOps hurt or help security? ]DevOps ultimately creates savings and speeds development through efficiencies and automation, multiplies the number of releases possible in the same time frame, and creates new revenues through competitive advantage.\u201cMake It So, Number One\u201dTom Stiehm, CTO, Coveros, suggests methods for driving secure coding practices deep into the heart of DevOps, including:Add as many security settings, as much scanning and analysis to software build pipelines as possible, whether by simply adding a few open source tools to the pipeline or by taking more complex steps.Make data collection and automated testing as easy as possible for the team to use while ensuring that leveraging the test results is equally within reach.Work with the open source tools that do scanning and analysis to improve associated rules and capabilities.Champion those security tools in the build pipeline and help software delivery teams understand the value of improved security.\u201cBy employing secure coding processes throughout the application delivery lifecycle, shifting automated testing to earlier in the development process, and increasing opportunities to find and fix security issues, everyone benefits,\u201d says Berkes.Prose on probabilitiesWhether the industry will leverage DevOps to inject secure coding remains a mystery with only time completing the tale. \u201cImproved implementation of secure coding and security practices into the software development lifecycle certainly has the potential for easier adoption in a DevOps ecosystem,\u201d says Atwell. Still, as with any new disruptive technological change, some enterprises will experience costly lessons at the outset, and many will have to find their own path to DevOps tranquility due to specialized industry vertical business requirements and market opportunities that are unique to each organization.