DevSecOps—short for Development Security Operations—is the practice of incorporating security continuously throughout the application development lifecycle. Using this approach ensures that security is a core part of the application and not a bolt-on feature.
DevSecOps is an outgrowth of the DevOps movement, which aims to accelerate the software development lifecycle and enable the rapid release schedule of applications and updates. DevSecOps builds on this agile framework by infusing security within each phase of the process in order to minimize security vulnerabilities and improve compliance—all without slowing down release cycles.
A DevSecOps mindset is an absolute necessity for any IT organization that is leveraging containers or the cloud, both of which require new security guidelines, policies, practices, and tools. Due to the agile nature of these technologies, security must be integrated at every stage of the DevOps lifecycle.
How does DevSecOps work?
In a traditional DevOps approach, security testing is done near the end of the development process—typically once the application has been deployed to a production environment. This is because security-related tasks such as secure configuration management and vulnerability scanning can be fairly time intensive, slowing down the development process.
Want to Stay Ahead of Adversaries?
Download the 2020 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now
While holding security testing until later in the development cycle increases the overall speed of the process, vulnerabilities within the application will not be identified until the application is nearly complete. As such, the DevOps team must go back and address these security issues, requiring organizations to repeat the entire development process to address security vulnerabilities. This runs counter to the very theory of DevOps, which focuses on rapid development and release cycles.
In a DevSecOps approach, security is built into every part of the DevOps lifecycle. Key tactics include:
- Incorporating Infosec professionals within the DevOps team to oversee the security agenda within the development lifecycle;
- Elevating the security skill set of the IT team to understand cyber risks and best practices so that each member can consider implications during the development process and write code with security in mind;
- Automating select cybersecurity processes and tasks, such as testing for security exploits, to enable an agile workflow; and
- Developing security processes and tools that are specifically designed to support agile technologies, such as the cloud, containers, and microservices.
What is the difference between DevOps and DevSecOps?
DevOps is an agile development methodology that links software development and IT operations in order to shorten the software development lifecycle and enable continuous development and delivery cycle. DevOps is built on three continuous principles: integration, delivery and deployment. With continuous integration comes core development activities including, coding, design, build, integration and testing. Continuous delivery includes the regular delivery of software applications and upgrades, and is done with continuous deployment, or an automated pipeline workflow.
DevSecOps builds much-needed security functionalities into the existing DevOps framework. As part of the DevSecOps mindset, organizations will likely add steps to the traditional DevOps workflow. These include:
- Conducting a risk/benefit analysis to determine the organization’s current risk tolerance.
- Creating an overarching, built-in security strategy that addresses existing vulnerabilities and known threats in the security landscape.
- Determining the security controls needed for the application.
- Automating recurring tasks within the security development and testing process.
Why do you need DevSecOps?
The rise of cloud technology, as well as containers and microservices, has fundamentally changed the way software is developed. In a DevOps culture, application programming interface (API) and configuration tools are needed to break down the infrastructure as a code, which can then be adapted and revised by the development team. This allows developers to provision and scale the needed infrastructure without the involvement of a separate infrastructure team. In addition, recurring tasks within the development process are automated through intelligent technologies and tools, which further accelerates the development lifecycle.
At the same time, the growth of serverless functions, microservices and containers by developers has introduced new security risks that must be accounted for. The architecture of cloud-native applications requires its own unique approach to security in terms of policies and controls. Beyond meeting the challenge of maintaining consistent security across their data center and the public cloud environment where their applications are deployed, IT must also contend with a lack of mature tools for securing containers, API vulnerabilities and other issues. In virtual-machine (VM)-based cloud deployments, security tools and best practices are more mature, offering more full-featured detection and visibility into threats and performance issues. The same cannot be said of cloud-native environments leveraging microservices and containers. In short, the threat model has changed.
Despite these challenges, cloud-native approaches offer an opportunity for businesses to transform their security alongside their digital initiatives to support the organization. To reach the peak value of DevOps promised by its advocates, organizations need to find a way to embrace cloud-native app development securely. Making security an equal consideration alongside development and operations is a must for any organization.
DevSecOps best practices
Organizations that want to unite IT operations, the security team and application developers need to make security a core component of the software development workflow. In order to enable DevSecOps, the organization must do the following two basic things:
- Ensure security testing is incorporated throughout the development cycle and completed by the development team; and
- Enable the development team to manage and solve issues found during testing.
To that end, here are a few DevSecOps best practices that will help ensure the organization can shift to this new agile model:
Dedicate an Infosec leader within the DevOps team. Many teams enable a DevSecOps mindset by including a security champion within their development teams. This is someone who has expertise in application security and has taken more advanced training in this field than most of the team. This person can review security fixes to make sure they are correct.
Upskill the IT team to ensure security is infused into every aspect of the development lifecycle. In a DevSecOps model, every member of the development team is accountable for security. Given that this was not a core responsibility of a DevOps engineer or software developer in the past, it may be necessary for the organization to upskill staff to support these new requirements. Organizations can work with their cybersecurity partner to develop a curriculum or training program to get their IT team up to speed with DevSecOps principles.
Automate recurring security processes and tasks. DevOps is all about speed—and so is DevSecOps. By implementing automated security controls and tests early in the development cycle, the organization can ensure rapid, agile delivery of applications. Further, by using tools that scan code as it is written, it is possible to identify and remediate security issues more quickly.
Select the right tools to continuously integrate security. Cloud technology, as well as the use of containers and microservices, require organizations to reevaluate their security policies, practices and tools. In this environment, many organizations are looking toward cloud-native security platforms (CNSP) as the answer. The goal of CNSPs, in part, is to simplify the complexity of securing a diverse, multi-cloud environment. CNSPs are designed to meet the needs of cloud-native architectures and the development practices of DevOps culture. Rather than focus on one particular vendor, CNSPs are cloud-agnostic and are built to provide visibility and protection across a hybrid stack. They also feature capabilities such as secure configuration management, runtime protection for cloud workloads and containers, and detection and response capabilities for virtual machines (VMs), containers and serverless functions.