What is DevSecOps ?

What is DevSecOps ? DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams. The DevSecOps movement, like DevOps itself, is focused on creating new solutions for complex software development processes within an agile framework.

DevSecOps 

DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of code. Silo thinking is replaced by increased communication and shared responsibility of security tasks during all phases of the delivery process.

In DevSecOps, two seemingly opposing goals —“speed of delivery” and “secure code”—are merged into one streamlined process. In alignment with lean practices in agile, security testing is done in iterations without slowing down delivery cycles. Critical security issues are dealt with as they become apparent, not after a threat or compromise has occurred.

Why is DevSecOps relevant now ?

What is DevSecOps ?  The answer can be derived from where it originates from. Today’s market calls for the flexibility to change software rapidly — sometimes several times per day—in response to customers’ needs. Agile development teams have adapted to this demand. However, old security models, poorly suited to rapid delivery cycles, can quickly derail agile release cycles and throw a wrench in the works for an organization’s evolving software products.

Security must be integrated into the DevOps cycle.

But Why ?

 While “Software is eating the world”, its development is subject to major changes.

 Core processes are automated and linked to each other. Therefore, software must become robust in order to avoid disruption of core processes.

Users and customers are educated with functionality that solves everyday problems before them. Users have become “spoiled”, more critical and more demanding. Software needs to get better and faster to meet the increasing demands of users. A great deal is being invested in increasing the productivity of software development and software development teams.

 Developments in IT Infrastructure enable this productivity increase. Software-based infrastructure services have become available through cloud technology. Infrastructure “disappears behind the plug” and can be accessed via software. There is a huge growth of vendors who, utilizing the capabilities of cloud technology, offer tooling and services that software development teams can use to automate their processes, development streets and application development environments.

Investing in collaboration and automation

By investing in software development processes through such tools, the traditional forms of collaboration between designers, software developers, testers, administrators and software quality assurance officers are changing. This collaboration is becoming more intensive whereby traditionally (also physically) separate departments such as “development” and “operations” end up in multifunctional “DevOps” teams.

DevOps teams use tooling to automate traditional manual work, such as configuring servers and networks, performing integration and regression tests, and checking program code for weaknesses.

 The automation of checks for weaknesses with regard to security in the software is increasingly important for DevOps teams.

First of all because the continuity and reputation of an organization is increasingly related to the quality of the software.

Secondly, DevOps aims for software to be improved and delivered to software users in increasingly shorter lead times. If it turns out that software is not safe, teams are forced to solve security problems, which comes at the expense of building new features with value for the end user.

Thirdly, the traditional IT boundaries of organizations are blurring. By using public and hybrid cloud services, firewalls are no longer adequate and the emphasis is increasingly on the robustness of the software application itself.

Finally, open source resources are increasingly being used. Typically these are constantly evolving publicly, including public known weaknesses or vulnerabilities. To prevent third parties from abusing publicly known weaknesses, code should not be checked once, but continuously for most current known weaknesses.

Many companies that invest in DevOps notice that their productivity is slowed down because security causes a lot of incidents. Software development teams are therefore looking for methods to automatically enforce the security quality of code directly in the software development process. These methods are relatively new and in full development. A fashionable slogan for this is currently “DevSecOps”. Best practices are available, but scarce. Araido offers this in its training courses.

How is it different than DevOps ?

What is DevSecOps ?  Whether you call it “DevOps” or “DevSecOps,” it has always been ideal to include security as an integral part of the entire app life cycle. DevSecOps is about built-in security, not security that functions as a perimeter around apps and data. If security remains at the end of the development pipeline, organizations adopting DevOps can find themselves back to the long development cycles they were trying to avoid in the first place.

In part, DevSecOps highlights the need to invite security teams at the outset of DevOps initiatives to build in information security and set a plan for security automation. It also underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats. It’s possible this can include new security training for developers too, since it hasn’t always been a focus in more traditional application development.

 

What are the benefits of DevSecOps approach ?

Security protocols that are baked into the development process rather than added as a “layer on top” allows DevOps and security professionals to harness the power of agile methodologies—together as a team—without short circuiting the goal of creating secure code.

The top two benefits of security operations (SecOps):

  1. better ROI in existing security infrastructure
  2. improved operational efficiencies across security and the rest of IT.

Another top benefit is the ability to make full use of cloud services. For example, organizations running services in the Amazon Web Services (AWS) cloud reap the benefits of increased preventive and detective security controls within the continuous integration and deployment model of AWS. As more organizations rely on cloud applications to keep operations up and running, security efforts independent of those performed by AWS are crucial to prevent costly downtimes.

The safety measures inherent in DevSecOps have many other advantages. These include:

  • Greater speed and agility for security teams
  • An ability to respond to change and needs rapidly
  • Better collaboration and communication among teams
  • More opportunities for automated builds and quality assurance testing
  • Early identification of vulnerabilities in code
  • Team member assets are freed to work on high-value work

 

How does a DevSecOps approach look like ?

What is DevSecOps ?  It is a shift. A cultural and technical shift towards a DevSecOps approach helps enterprises address security threats more effectively, in real-time. It is important to view security teams as a valuable asset that help prevent slowdowns rather than a hindrance to agility. For example, early detection of a poorly designed application that cannot scale in the cloud saves valuable time, resources, and computing costs.

Scalability in the cloud requires embedding security controls on a larger scale. Continuous threat modeling and management of system builds is needed as technology-driven businesses evolve at a rapid pace.

 

Important components of a DevSecOps approach:

  1. Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly.
  2. Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
  3. Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance etc.).
  4. Threat investigation – identify potential emerging threats with each code update and be able to respond quickly.
  5. Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
  6. Security training – train software and IT engineers with guidelines for set routines.

 If you haven’t already begun the process, the time is now to merge your security goals with DevOps and implement ‘Security as Code’ DevSecOps best practices.