Devsecops explained in 5 minutes
Where Did DevSecOps Come From? In this topic “DevSecOps explained in 5 minutes” we’ll attempt to give readers an overview of DevSecOps, and how it came about …
What is DevSecOps?
For many organizations, implementing a DevOps mindset involves “bridging the gap”—or “removing silos between”—software development and IT operations teams, often with the goal of being able to release software faster, and with greater stability.
DevSecOps, then, is an extension of the DevOps mindset, and is often described as “shifting security left” (i.e., earlier) in the software development lifecycle (SDLC), rather than tackling security reviews/inspections at the end of the cycle, when any findings requiring mitigation are more difficult and costly to implement.
As a side note, we have taken to saying SecDevOps here at AlphaBravo. Putting security first is becoming more imperative these days and from a selfish perspective, helps reduce the likelihood of having “resume generating events” (getting fired).
Requirement does not mean in practice
These principles aren’t new, and they seem pretty straightforward in theory, but the reality is, in practice, many organizations aren’t operating this way.
If security is prioritized by an organization, it is often aimed at achieving the minimum criteria, usually with a siloed security team.
Developing software is often complex and an iterative process of trial and error. During the development lifecycle, introducing the stringent security requirements of the organization should be considered, but not at the expense of development complexity.
The functions that the application is meant to perform may not work when the expected security precautions and best practices are applied. But, that often complicates things for the developers. Does it not work as expected because the code needs work, or because the security being applied is breaking the process in some way.
Many developers then take the path of “make it work, then make it secure”. So how can the overall process ensure that the proper security protocols are followed while not unnecessarily burdening your dev teams?
Building quality into your CI/CD process.
Having security built in to your CI/CD process does not absolve the dev teams of writing good code in the first place, but it shifts the burden of code review and best practices application into a trackable and repeatable area of development.
Implementing codified security requirements and having high quality tests that ensure that every build is checked in the same way is one way your organization can reduce the likelihood that human error is to blame for missing security issues.
By integrating security measures into all stages of the DevOps pipeline, from the initial open source component selection to building, staging, and releasing your application you’re also doing things like:
- Scanning and evaluating the open source component risks in both new and existing legacy applications
- Blocking “bad” OSS components from ever entering your ecosystem in the first place
- Continuously monitoring all applications in production, automatically alerting development teams when vulnerabilities arise that affect their applications.
- Managing your microservice and container lifecycles in a methodical and intentional manner.
- Applying version control to the test process so that over time you can make iterative and informed changes to make these tests better.
Make Security Everyone’s Job
By making Security part of the DevOps process, you also leverage the knowledge, continued education and intuition of your entire team. All members are empowered to have a part in the discussion, bring up things that they see as potential issues, and suggest newly learned or novel solutions to ensure that your application is secured and risks are mitigated.
While your InfoSec team may still spend the lion’s share of their time focused on this, the people with a deeper understanding of the code and application requirements (the developers) are now at the forefront of protecting your organization.
Before you go, take a few minutes to check out this short video from RedHat about DevSecOps. They do a great job of touching on the key aspects of security in DevOps.