What is DevSecOps? Let’s break it down.
“DevSecOps is actually a combination of three disciplines. Development, Security and Operations.”
Back in the early days, if you knew how to code, you could develop anything you wanted, and you become a rockstar (assuming that it is bug-free of course). With the power of the internet, you can let everyone in the universe access it. Easy!! Now as more and more people try it, more and more people are starting to hate it because it doesn’t have the features that they need.
So what do you do next? You develop some more, test and deploy, then develop again, then test deploy, then develop again and then test then deploy. And then you start going nuts with this never ending cycle. In other extreme cases, the manpower who are tasked to do the deployment is not adequate leading to deployment backlogs and developers would have to fall in line and wait for the changes to be accommodated at a later future stage. In an attempt to solve this problem, DevOps was born.
It is a culture that promotes collaboration between Development and Operations Team to deploy code in production faster in an automated and repeatable way.
With the frequent cycles of change, these mundane tasks are magically turned into small chunks of sophisticated, automated tasks that are executed very quickly. So fast that before one of your haters starts to post a rant on Facebook, you’ve already released the change. Easy!! So you have a global solution accessed by millions. Everyone is happy because they get what they need. This now becomes a potential target for hackers.
“You made the changes so rapidly that you forgot to account for security.”
All that time and investment can disappear in an instant if your jealous cousin tries to hack the homepage and put your ugly photo there. So this is why DevOps is not enough. There has to be something in the middle to safeguard malicious code getting promoted to production. Security is very important but is often overlooked in this phenomenon of continuous integration and continuous deployment.
“Develop, Secure, Operate“
This cultural and technical shift helps address security threats more effectively, in real-time, and promote agility to rapid change. Here are some of the common processes that have been added to the continuous deployment cycle in order to enforce security best practices in software development.
- Static Code analysis – is an automated technique for detecting programming defects in computer source code by examining the text of the source code without executing it.
- Change management – include a sequence of steps or activities that move a change from inception to delivery.
- Compliance monitoring – refers to the quality assurance tests organisations do to check how well their business operations meet their regulatory and internal process obligations.
- Treat investigation – is the process of gathering evidence related to a flagged threat to validate the alert and inform response and recovery activities.
- Vulnerability assessment – evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation or mitigation, if and whenever needed.
- Security training – equip the developers and operations team with the right knowledge to implement a more secure solution
There is no hard requirement of implementing it all, as some might involve costs and expertise not readily available to the business. The main difference between the two is that DevSecOps also looks at the security aspect of the code/system/application before it is handed over to the operations stage.
“A DevSecOps-driven approach to software development provides many benefits not just for developers and operators but also protecting the business from any potential loss due to cyber attacks.”
Incorporating security into DevOps speeds up iterations because potential vulnerabilities are identified at an early stage instead of future cycles. It also increases the quality of the solution without compromising compliance.
Author: Jose Mari Ponce
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.