While most of us are familiar with the term DevOps, many are still unsure what DevSecOps is. Some claim it is a new workflow in the CI/CD process, others claim it is a manifestation of inserting security practices into a framework, while others think of it as simply adding cybersecurity professionals to a team.
However, the best way to think of DevSecOps is as a philosophy that touches on all of the above. The goal of the DevSecOps process is to introduce new security models into the continuous delivery (CD) pipeline, which should bridge the gaps between IT, Development, Operations, and Security. SImply put, the aim of DevSecOps is to tear down silos and introduce shared responsibility of security tasks through all phases of the delivery process. That may sound like a bunch of management technobabble, but the gist of the DevSecOps concept is well defined by that management speak.
Ultimately, DevSecOps changes the dynamic of the development process by shifting security from a layer that is just placed on top of code into an element that is baked into the code. It amounts to security becoming an ingredient in the recipe of CI/CD, where the chefs of applications work together as a team. DevSecOps integrates safety into the CI/CD pipeline, without inhibiting the speed of the delivery cycle. Beyond the inherent safety that DevSecOps adds to the development pipeline, there are numerous other advantages, Including:
- Improved speed and agility for security teams
- Better communication between team members working within the delivery pipeline
- The ability to respond to rapid change
- Better vulnerability identification at the code level
- Increased opportunities to implement automated builds and quality assurance processes
Getting started with DevSecOps takes more than assigning roles and defining teams, it also requires both a technical and cultural shift in how an enterprise addresses security threats. DevSecOps also requires a change in approach to how a security model is defined, built, and implemented. With DevSecOps there are critical procedural elements that must be considered. Those include:
- Code analysis – share code in small chunks so vulnerabilities can be identified quickly
- Change management – quickly determine if changes submitted by any team member is good or bad
- Compliance monitoring – prepare for audits and strive to be in a constant state of compliance
- Threat investigation – identify emerging threats against each code update and respond quickly
- Vulnerability assessment – use code analysis to identify vulnerabilities and have processes in place to mitigate threats
- Security training – All team members, including software and IT engineers should be educated on guidelines for set routines.
DevSecOps is not an impossible dream and many organizations are well on their way to incorporating security into their CI/CD pipelines using the basic formula of integrating security into the development process.