Intro to DevSecOps
As DevOps has become more mainstream and the benefits become well known. Practitioners have looked at new ways to apply and extend the concepts to expand the benefits of DevOps philosophy to other areas of the business. One such natural extension is DevSecOps. DevSecOps takes the core tenets of DevOps and expands them to include security teams and functions.
DevOps has increased the pace at which teams are delivering value to customers. Product conception / ideation to delivery cycles have shortened dramatically as teams see value in experimentation and responsiveness to customer needs. That increase in feature velocity and/or cycle time has added pressure to security teams to keep up. This can lead to over worked security teams and oversight / governance concessions to keep the product updates flowing.
Proactive teams have realized there is a better way. By implementing DevSecOps, teams are finding ways to continue to innovate faster without conceding security. Let’s take a closer look at concepts, tools and benefits of well implemented DevSecOps strategy.
DevSecOps takes DevOps principles and extends them to security teams and practices. DevSecOps builds on the core DevOps principles of rapid release cycles, cross team involvement, transparency / observability, automation and the Three Ways of DevOps.
DevOps practices have decreased the mean time to value for high functioning organizations by applying the Three Ways; single direction flow, feedback loops and experimentation.
The pace of the SDLC has increased with DevOps. Cycle times, from ideation to customer value delivery, have shortened from months or years to days or even hours. Security teams using traditional approaches struggle to keep up without modernization / adaptation. New ways of working to address security are required.
DevSecOps: Key Concepts
One of the core ideas of DevSecOps is shifting security left. That is, moving the traditional security activities to the front, or the left if one thinks of the SDLC moving left to right, of the SDLC.
Security requirements are added in the planning phase and are treated the same as features. This means creating user stories that are tracked across the process and treated as first class citizens, the same way as feature centric user stories.
The Security team is involved as early as possible, this means in the requirements / planning phase. The earlier they are involved the better. This ensures security issues are not created in the planning and design phases that need to be remediated later. This has the side benefit of leading to a strong sense of partnership as team members feel like they are first class citizens in the process and feel that their contributions are valued, rather than being impediments to development / value creation.
Security is automated and built in. Security is no longer treated as a gate to deployment at the end of the development cycle. Security issues are raised early in the cycle, when there is still plenty of time to address them. Rarely do you see security issues found in the later stages. This helps avoid the “Go” / “No Go” decision, which leads to either delays or lessened security posture due to concessions made to keep the project on track and on time.
Not only is security automated and built into the pipeline but testing is done at each phase of the SDLC. In the coding phase, IDE tools such as Software Composition Analysis (SCA) and Static Application Security Testing (SAST) are run on the developers behalf, before the code is introduced to the repository. In the build phase of the pipeline, SCA and SAST tools are run and the results made visible and permanent in the DevOps pipeline / CI/CD pipeline. During the test phase DAST runs against test instances of the software, raising issues only exposed at runtime. In the deploy phase additional DAST and IAST tools can be run against staging instances and production to verify the success of the previous security efforts.
SOOS provides a comprehensive open source software scanning platform. By integrating with your existing processes and tools we allow your teams to easily integrate and provide real time Software Composition Analysis to ensure the safety and security of your applications. We analyze your entire dependency tree and provide actionable insight into any vulnerabilities in your open source portfolio.
DevSecOps is an extension of DevOps that can lead to increased security posture, more efficient remediation of security concerns and better relations between teams. It requires a combination of people, process and tools to deliver tangible results to security conscious organizations. Over the next few years we will likely see these practices become as common as Agile and DevOps, seen as more of a requirement to compete than as a competitive differentiator; it will soon become table stakes in the customer value creation process.