Introduction

DevSecOps is the process of integrating security amidst the development and operations. It emphasizes the fact that security is the shared responsibility throughout the entire product development life cycle. DevSecOps represents a culture where we strive to build products faster and safer and we detect and respond to security findings early in the process rather than doing that in a reactive manner.

What is DevSecOps?

Practically, DevSecOps is an art of integrating 3 pillars of software development life cycle that are:

• Development
• Security
• Operations

To achieve this we introduce Continuous Integration and Continuous Deployment (CI/CD) pipelines in both staging and live production environments. Let’s take a look at each of the departments individually and see what role it plays in the software development lifecycle and how we can integrate it with other departments.

Development: 

Creating a new software components and improving them and consequent updates is the main responsibility of this department, this includes but not limited to below:

• In house apps to support various operations
• APIs to support the integration between legacy and new systems
• Apps and softwares built by opensource technologies that basically helps accelerate the development process

Latest development styles are more based upon agile methodologies that prioritize continuous improvement rather than a sequential form of orthodox implementation in which we have to wait for one complete development to occur and then test for bugs.

Operations:

Developing a really cool software is just one step of the process and the next and more important step is to ensure that it is deployed properly and all necessary requirements are met in order for this software to work properly. 

Operations plays its role over their and helps to manage software functionalities across it’s life cycle:

• Performance Monitoring
• Logging & Monitoring
• Deploying New Infrastructure
• Maintaining infra for new releases

Security:

Security is another part of this methodology, which basically refers to securing the product essentially. It includes information security, application security and infrastructure security.

Earlier, the security testing role comes at the end of product lifecycle when it’s fully developed which is done by a completely different team from operations and development. This approach slows the overall development process and also impacts the reaction time whenever a security incident happens.

Additionally, security tools themselves have generally been siloed. Every application security considers that application, and frequently just at the source code of that application. This made it difficult for anybody to have an organization wide perspective of security concerns, or to comprehend security risks considering the production environment.

By making security an essential part of DevSecOps process, from beginning plan to final release, these three core components of software development lifecycle can be aligned.

Why DevSecOps is different?

Conventional software development approach is cascade approach in which each unit of development lifecycle i.e. development, operations and security work in silos with no mutual coordination and one process starts only after the previous one ends. 

In many teams, cascade has to a great extent been supplanted by Agile strategy, in which a project is divided into multiple sprints. But in many organizations security testing is still being delayed and done after the development, just like cascade style! The delay caused in this process downgrades the productivity of developers and forces them to backtrack their development process, in order to fix security issues that come as a result of security testing.

DevSecOps, then again, empowers security testing to happen consistently and consequently in a similar general time period in which regular development and QA testing is going for a software product. 

For instance, security tests can be done by engineers with the help of agile methodology of DevSecOps in the same time frame, when development is going on which saves times that gets loss in context switching when security tests are carried out after the development process.

DevSecOps Best Practices

We’ll discuss some of the building blocks of DevSecOps methodology and how we can implement them.

Secure Code Practice

The first and foremost thing is to educate developers in regards to basic security hygiene and provide them necessary learning opportunities where they can learn how to write a secure code. Secure coding creates a high resistance to the vulnerabilities in the very beginning, which saves a lot of effort and time if these vulnerabilities are discovered and patched at the completion of the product.Moreover, various IDE extensions can be provided to developers like snyk which can help developers detect vulnerabilities at the very beginning of the process.

Automation

Similar to DevOps, automation is the key in DevSecOps as well. In order to ensure that we are securing code in every push of your code repository, we need to make sure that we are using automation for security in CI/CD pipeline. 

Various tools can be used to look for the potential security vulnerabilities in the code release, like Static Application Security Testing (SAST) tools which can scan and detect vulnerabilities at every push so that they are addressed early in the process of development.

Shift Left Approach

Unlike the cascade approach which we discussed earlier, where we have to wait for one process to end completely to start another. In the shift left approach we try to move and address the security concerns at the very beginning of the process during the development phase. It’s a win-win situation for both developers and security engineers as developers can fix the vulnerabilities with a lot less effort as compared to if they have to do so when a product is fully developed. And for security engineers, it helps in building a secure product from the beginning.

Common challenge with doing a left shift will be it can disrupt your ongoing DevOps processes, which can be uncomfortable in the beginning for everyone but adopting the shift left mentality is definitely something worth considering which will benefit your environment in so many pleasant ways.

Summary

To conclude, DevSecOps is the complete culture change within the organization. It requires active involvement and effort from each team including in the development process. Automation is the magic word here. Automate every process you can, whether deploying infrastructure as code (IaC), writing security unit tests or doing dynamic application scanning, automation is the key. 

Educate and empower people to adopt modern ways of developing a secure product, give them all the necessary means which can help them learn secure coding and apply bake in security in the very beginning of the process.

The internet has transformed how we interact with various industries worldwide and changed how we do things. We can now do many things online, from banking to shopping and even medical appointments.

While the advent of the internet has brought about some welcomed change, it’s also created issues, particularly around cybersecurity and privacy for its users. Thanks to the pandemic, companies and organizations worldwide have demanded better connectivity as more people work from home. However, in 2021, cybercrime skyrocketed.

According to Check Point Research, organizations surveyed in their 2021 study were found to experience about 925 cyberattacks per week globally. While it’s unclear what caused these cyberattacks, human error and the lack of good password practices are often prominent suspects. After all, humans create at least 100 different accounts and passwords in their lifetime, so we often reuse our passwords out of convenience.

Password hygiene isn’t the only thing we tend to overlook when using the internet. In fact, there are plenty of different ways we often give up our data without really knowing or realizing it.

To help you better understand how our data is often at risk, we’ve created a list of the various types of technology and software we interact with almost daily that could store and distribute our data.

1.   Social media platforms

Social media is a great way to keep in touch with friends and family. However, not many people consider the type of information they’re giving up each time they post something on a platform. Whether it’s information about birthdays, employment history, and the like, we consistently give up more data than we think.

Cybersecurity experts encourage people to keep their social media profiles private and limit the information they share in their profiles’ “About Me” section to make it harder for hackers to piece together information about a victim.

2.   Food delivery apps and services

Food delivery apps and services are known to leverage big data analytics to stay competitive and understand their customer’s preferences. Each time we order food or groceries from an app, we give these companies information on what we like and don’t. We’re also telling them how often we need certain items.

Food companies and other service providers can then sell this data to their vendors, leveraging this information by creating ads that target the customers they want.

3.   Virtual assistants

Virtual assistants regularly work with large amounts of sensitive information such as administrative forms and customer data. Virtual assistants are often big targets for hackers looking to steal information. To protect them, it’s essential to install different types of anti-virus software and ensure that there’s a clear privacy policy in place.

4.   Location information

Location information is something we often give up without realizing. Our phone is an absolute location beacon through navigation apps, the weather app, and social media platforms. This interactive New York Times article shows how easy it is to piece together location data about a person through an app on their smartphone. The app could track how long a person was at their doctor’s appointment, how far they went while hiking, and the address they stayed at overnight.

Scary, right?

5.   Streaming platforms

Like food delivery apps and services, streaming platforms like Netflix, Hulu, and Amazon Prime leverage user data to determine what programs and services users might like. These streaming providers can then market new series and films and target selected users.

6.   Video conferencing services

Video conferring services like Zoom, Microsoft Teams, and Google Meets gained significant popularity during the pandemic. Zoom users grew from 10 million in December 2019 to over 300 million in April 2020.

While this is excellent news for Zoom, they’re also prime targets for cybercriminals and other malicious third parties. In April 2020 alone, multiple Zoom privacy issues and security breaches were reported, including a bug that made it easy for hackers to take control of a user’s microphone or webcam.

To protect yourself from potential hackers, always log off and close your video conferencing apps when they’re not in use. Make it a point also to cover your webcam when not in use. If you need to use your laptop’s webcam, you can purchase these small dedicated covers to shut them off.

7.   Online shopping sites

Have you ever looked up a purse on an online catalog only to get served ads on a completely different website?

Here’s the thing, online shopping sites regularly track what users look at to remarket the product back to them, hoping that it’ll lead to a purchase.

8.   Webcams

For security enthusiasts, webcams can be suspicious pieces of equipment for a good reason. Webcams can be hacked easily, and hackers usually enjoy turning them on and recording their victims. Besides recording their victims, hackers may implant malware or viruses, preventing their victims from being able to use their webcams. Victims will then have to pay to get their webcams unlocked. To make matters worse, hackers can do all this remotely.

To prevent this, be careful of the browser extensions you’re downloading and limit the use of your webcam where possible.

9.   Health apps

Health apps like calorie counters, period prediction apps, and workout trackers are great for those who want to stay on top of their fitness game. However, these apps come with a slight caveat: they always track your data.

Period tracking apps have been coming under fire for allegedly selling their users’ data recently. While it might seem harmless, this information, when paired with input from other social media sites and internet footprints, might allow hackers to paint a better picture of their target and find ways to exploit them.

10.  Review sites and forums

All it takes is for you to leave a review of a restaurant or write a comment on a forum to expose your interests and, potentially, your location. While reviews and comments can be helpful for others online, they can also reveal our whereabouts. 

Now that you’re more aware of how your data could unknowingly be distributed, you’re on track to becoming a lot more careful. Unfortunately, as long as we have smartphones and employ smart gadgets, it’s impossible not to have a digital footprint of some sort. However, we can always take steps to safeguard our privacy and protect our personal information as best as possible.