DevSecOps is the process of integrating security amidst the development and operations. It emphasizes the fact that security is the shared responsibility throughout the entire product development life cycle. DevSecOps represents a culture where we strive to build products faster and safer and we detect and respond to security findings early in the process rather than doing that in a reactive manner.
What is DevSecOps?
Practically, DevSecOps is an art of integrating 3 pillars of software development life cycle that are:
To achieve this we introduce Continuous Integration and Continuous Deployment (CI/CD) pipelines in both staging and live production environments. Let’s take a look at each of the departments individually and see what role it plays in the software development lifecycle and how we can integrate it with other departments.
Creating a new software components and improving them and consequent updates is the main responsibility of this department, this includes but not limited to below:
- In house apps to support various operations
- APIs to support the integration between legacy and new systems
- Apps and softwares built by opensource technologies that basically helps accelerate the development process
Latest development styles are more based upon agile methodologies that prioritize continuous improvement rather than a sequential form of orthodox implementation in which we have to wait for one complete development to occur and then test for bugs.
Developing a really cool software is just one step of the process and the next and more important step is to ensure that it is deployed properly and all necessary requirements are met in order for this software to work properly.
Operations plays its role over their and helps to manage software functionalities across it’s life cycle:
- Performance Monitoring
- Logging & Monitoring
- Deploying New Infrastructure
- Maintaining infra for new releases
Security is another part of this methodology, which basically refers to securing the product essentially. It includes information security, application security and infrastructure security.
Earlier, the security testing role comes at the end of product lifecycle when it’s fully developed which is done by a completely different team from operations and development. This approach slows the overall development process and also impacts the reaction time whenever a security incident happens.
Additionally, security tools themselves have generally been siloed. Every application security considers that application, and frequently just at the source code of that application. This made it difficult for anybody to have an organization wide perspective of security concerns, or to comprehend security risks considering the production environment.
By making security an essential part of DevSecOps process, from beginning plan to final release, these three core components of software development lifecycle can be aligned.
Why DevSecOps is different?
Conventional software development approach is cascade approach in which each unit of development lifecycle i.e. development, operations and security work in silos with no mutual coordination and one process starts only after the previous one ends.
In many teams, cascade has to a great extent been supplanted by Agile strategy, in which a project is divided into multiple sprints. But in many organizations security testing is still being delayed and done after the development, just like cascade style! The delay caused in this process downgrades the productivity of developers and forces them to backtrack their development process, in order to fix security issues that come as a result of security testing.
DevSecOps, then again, empowers security testing to happen consistently and consequently in a similar general time period in which regular development and QA testing is going for a software product.
For instance, security tests can be done by engineers with the help of agile methodology of DevSecOps in the same time frame, when development is going on which saves times that gets loss in context switching when security tests are carried out after the development process.
DevSecOps Best Practices
We’ll discuss some of the building blocks of DevSecOps methodology and how we can implement them.
Secure Code Practice
The first and foremost thing is to educate developers in regards to basic security hygiene and provide them necessary learning opportunities where they can learn how to write a secure code. Secure coding creates a high resistance to the vulnerabilities in the very beginning, which saves a lot of effort and time if these vulnerabilities are discovered and patched at the completion of the product.Moreover, various IDE extensions can be provided to developers like snyk which can help developers detect vulnerabilities at the very beginning of the process.
Similar to DevOps, automation is the key in DevSecOps as well. In order to ensure that we are securing code in every push of your code repository, we need to make sure that we are using automation for security in CI/CD pipeline.
Various tools can be used to look for the potential security vulnerabilities in the code release, like Static Application Security Testing (SAST) tools which can scan and detect vulnerabilities at every push so that they are addressed early in the process of development.
Shift Left Approach
Unlike the cascade approach which we discussed earlier, where we have to wait for one process to end completely to start another. In the shift left approach we try to move and address the security concerns at the very beginning of the process during the development phase. It’s a win-win situation for both developers and security engineers as developers can fix the vulnerabilities with a lot less effort as compared to if they have to do so when a product is fully developed. And for security engineers, it helps in building a secure product from the beginning.
Common challenge with doing a left shift will be it can disrupt your ongoing DevOps processes, which can be uncomfortable in the beginning for everyone but adopting the shift left mentality is definitely something worth considering which will benefit your environment in so many pleasant ways.
To conclude, DevSecOps is the complete culture change within the organization. It requires active involvement and effort from each team including in the development process. Automation is the magic word here. Automate every process you can, whether deploying infrastructure as code (IaC), writing security unit tests or doing dynamic application scanning, automation is the key.
Educate and empower people to adopt modern ways of developing a secure product, give them all the necessary means which can help them learn secure coding and apply bake in security in the very beginning of the process.