What is DevSecOps?
DevSecOps is the philosophy of integrating security practices within the DevOps process. DevSecOps involves creating a ‘Security as Code’ culture with ongoing, flexible collaboration between release engineers and security teams. The DevSecOps movement, like DevOps itself, is focused on creating new solutions for complex software development processes within an agile framework.
DevSecOps is a natural and necessary response to the bottleneck effect of older security models on the modern continuous delivery pipeline. The goal is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of code. Silo thinking is replaced by increased communication and shared responsibility of security tasks during all phases of the delivery process.
In DevSecOps, two seemingly opposing goals —“speed of delivery” and “secure code”—are merged into one streamlined process. In alignment with lean practices in agile, security testing is done in iterations without slowing down delivery cycles. Critical security issues are dealt with as they become apparent, not after a threat or compromise has occurred.
Benefits of a DevSecOps Approach
Security protocols that are baked into the development process rather than added as a “layer on top” allows DevOps and security professionals to harness the power of agile methodologies—together as a team—without short circuiting the goal of creating secure code.
A 2017 EMA report found the top two benefits of security operations (SecOps): better ROI in existing security infrastructure and improved operational efficiencies across security and the rest of IT.
Another top benefit identified in the study was the ability to make full use of cloud services. For example, organizations running services in the Amazon Web Services (AWS) cloud reap the benefits of increased preventive and detective security controls within the continuous integration and deployment model of AWS. As more organizations rely on cloud applications to keep operations up and running, security efforts independent of those performed by AWS are crucial to prevent costly downtimes.
The safety measures inherent in DevSecOps have many other advantages. These include:
- Greater speed and agility for security teams
- An ability to respond to change and needs rapidly
- Better collaboration and communication among teams
- More opportunities for automated builds and quality assurance testing
- Early identification of vulnerabilities in code
- Team member assets are freed to work on high-value work
DevSecOps vs. Rugged DevOps
DevSecOps and Rugged DevOps are both critical in a market where software updates are often performed multiple times per day and old security models simply can’t keep up. DevSecOps adds robust security methods to traditional DevOps practices from Day 1. Rugged DevOps engineers security measures into all stages of software design and deployment.
Adding the term “rugged” to DevOps means adding increased trust, transparency, and a clearer understanding of probable risks. It is an accelerated approach where security parameters are put into practice at the start of the project and penetration tests applied throughout the development cycle. Rugged is a mindset that brings tougher controls, and it thrives in an environment where developers are motivated to continually make code more secure.
The Rugged Manifesto puts it this way:
“I am rugged because I refuse to be a source of vulnerability or weakness.”
“I am rugged because I assure my code will support its mission.”
“I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.”
In a DevSecOps environment, automated testing is performed throughout the development cycle. Ruggedizing the process means making security a higher priority. This includes incremental safety improvements in the continuous delivery pipeline (AWS or other), regular threat assessment using security games, and adding security testing to automated processes.
Getting Started with DevSecOps
A cultural and technical shift towards a DevSecOps approach helps enterprises address security threats more effectively, in real-time. It is important to view security teams as a valuable asset that help prevent slowdowns rather than a hindrance to agility. For example, early detection of a poorly designed application that cannot scale in the cloud saves valuable time, resources, and computing costs.
Scalability in the cloud requires embedding security controls on a larger scale. Continuous threat modeling and management of system builds is needed as technology-driven businesses evolve at a rapid pace.
Here are six important components of a DevSecOps approach:
- Code analysis – deliver code in small chunks so vulnerabilities can be identified quickly.
- Change management – increase speed and efficiency by allowing anyone to submit changes, then determine whether the change is good or bad.
- Compliance monitoring – be ready for an audit at any time (which means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.).
- Threat investigation – identify potential emerging threats with each code update and be able to respond quickly.
- Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
- Security training – train software and IT engineers with guidelines for set routines.
If you haven’t already begun the process, the time is now to merge your security goals with DevOps and implement ‘Security as Code’ DevSecOps best practices.