Devsecops

Overview

Download PDF

What is DevSecOps?

DevSecOps refers to the integration of security practices into a DevOps software delivery model. Its foundation is a culture where development and operations are enabled through process and tooling to take part in a shared responsibility for delivering secure software. To understand where this DevSecOps definition comes from, we must first understand the origins of DevOps.

DevSecOps vs DevOps

The difference between DevOps and DevSecOps is, to put it simply, the culture of shared responsibility. DevOps is a concept that has been talked about and written about for over a decade, and many definitions of DevOps have emerged. At its core, DevOps is an organizational paradigm that aligns development and operations practices as a shared responsibility. 

Many would agree that the goal was to create an environment in which business value is created by moving from code to production with a seamless and sustainable flow. With this new model came tools and methodologies that increased the pace and resulted in a bottleneck where traditional security practices with slow feedback cycles became inhibitive of high-pace DevOps practices. As a result, security practices were often only  accomplished post-production or by external teams injected into the process thus slowing things down.

To make the difference between DevOps and DevSecOps clearer, DevSecOps extends the DevOps culture of shared responsibility to also include security practices. Activities designed to identify and ideally solve security issues are injected early in the life cycle of application development, rather than after a product is released. This is accomplished by enabling development teams to perform many of the security tasks independently within the SDLC. The approach helps minimize vulnerabilities that reach production thereby reducing the cost associated with fixing security flaws. It creates scalability while also establishing a collaborative culture that brings security closer to DevOps objectives. DevSecOps aims to build security into every stage of the delivery process, from the requirement stage onwards, and establish a plan for security automation. It also highlights the need for “security as code” — a practice in which DevOps and Security teams work together closely and exchange feedback and insights on threats and security principles in a proactive manner. DevSecOps also includes educating developers and DevOps teams to use secure design patterns, preparing the C-level management by practicing with mock incidents and awareness campaigns for the wider organization. 

The Importance of DevSecOps

Why are DevSecOps practices are important?

Digital transformation has become an existential requirement for almost all enterprises. Such transformation includes three significant motions: more software, cloud technologies and DevOps methodologies.

More software means more of the organization’s risk becomes digital, raising the level of technical debt and therefore application security, making it increasingly challenging to secure digital assets.

Cloud means use of newer technologies that introduce different risks, change faster, are more publicly accessible — eliminating or redefining the concept of a secure perimeter. It also means many of the IT and infrastructure risks are moved to the cloud, and others are becoming purely software defined, reducing many risks while highlighting the importance of permission and access management. 

Lastly, DevOps means a change to how software is developed and delivered, accelerating the cycle from writing code to delivering customer value to learning from the market and adapting. Empowered development teams ship software continuously and faster than ever, making technology and implementation decisions autonomously and without intermediaries. The traditional slow feedback loops that bog down development are not tolerated as teams increasingly prioritize being self-sufficient — you write it, you run it.

As the rest of the organization evolves, security teams are faced with greater demands and often become more of a bottleneck. Legacy application security tools and practices, designed for the slower-paced pre-cloud era, put security teams in the critical path of delivering high quality applications. These teams, understaffed due to the severe security talent shortage, become a bottleneck and fail to keep up. As a result, dev teams ship insecure applications, security teams burn out, and security becomes a naysayer, negating the acceleration the business is seeking.

To deal with these challenges , people started changing their practices and this gave birth to DevSecOps. A DevSecOps culture brings security into the DevOps fold, enabling development teams to secure what they build at their pace, while also creating greater collaboration between development and security practitioners. It allows security teams to become a supporting organization, offering expertise and tooling to increase this developer autonomy while still providing the level of oversight the business demands. 

Faster delivery

  • The speed of software delivery is improved when security is integrated in the pipeline. Since security issues can be addressed early in the development process, the number of vulnerabilities that end up as bug fixes in the backlog is reduced. This means developers are more focused on delivering new or expanded functionality.
  • The speed at which new technologies can be adopted is also improved. As DevSecOps creates a culture of shared responsibility for all aspects of the pipeline and security becomes embedded in the delivery process, new technologies can be assessed for security risks early on. This prevents bottlenecks from security teams attempting to get up to speed on new technologies so they can ensure secure configurations.
  • Overall secure code practices are also improved as a result of a DevSecOps approach. As developers are empowered to identify and remediate vulnerabilities during their development efforts, they become aware of common mistakes, and are able to avoid those in future coding efforts.

Improved security posture

  • The total number of vulnerabilities introduced to the production environment is reduced via a DevSecOps model. As developers become more empowered to identify and remediate vulnerabilities, the code they produce inherently has fewer security flaws. 
  • The time to react and remediate vulnerabilities is also reduced in a DevSecOps culture. Since vulnerabilities can be identified in development, there is no need for them to be logged as security bugs and prioritized amongst other stories in the backlog. Instead, fixing security flaws becomes an inherent aspect of the coding process.
  • A culture of shared responsibility from DevSecOps also improves overall security awareness across the organization. Non-security teams that have possibly passed responsibility for security to a centralized security team begin to see and understand their role in securing software. Continuous exposure to security practices and expectations to adopt secure behaviors drive an overall better awareness across the company.
  • Burnout among security resources is also reduced in a DevSecOps culture. Shared responsibility for security reduces the workload assigned to dedicated security resources. Additionally, eliminating the “us versus them” feeling of a siloed organization also reduces feelings of frustration and hopelessness among security resources. Security teams can more easily see value and results from their efforts thanks to DevSecOps’ collaborative culture.

Reduced costs:

  • Studies show that the costs of software delivery are exponentially reduced when vulnerabilities are identified early in the development process as opposed to post-deployment. Adopting a DevSecOps culture enables this early identification and therefore helps drive reduced costs.
  • The improvements in overall security posture make it easier for an organization to demonstrate compliance with regulations and meet the expectations of auditors. A strong model of collaboration and automation of security practices enables the continuous collection of key metrics needed to demonstrate the security posture of the organization.
  • Shared responsibility
  • Become part of the team backlog
  • Knowledge sharing
  • Increased delivery process maturity

Enhancing the value of DevOps

  • Incorporating new technologies into development without the traditional resistance from other areas of the organization. With security embedded in the delivery processes, new technologies can be assessed for security risks and those risks addressed early on. 
  • Increasing speed of delivery by enabling developers to detect and fix security issues during the development phases rather than relying on feedback loops from subsequent tasks executed by external parties.
  • Reducing volume of application security bugs added to the backlog as issues are discovered during development. Those that do end up on the backlog receive higher prioritization.
  • Improving awareness of secure coding techniques as developers gain experience directly identifying and remediating vulnerabilities. 
  • Improving infrastructure security as Infrastructure as Code (IaC) becomes more common through the use of containers and integrated security practices which are able to ensure appropriate hardening of those images.
  • Achieving greater overall maturity in the DevOps model by integration of security practices into the delivery pipeline. It eliminates the impact to delivery pace from slow feedback loops with external security teams, further enhancing the promise of DevOps.

Improving security integration and pace

  • Cost and time of secure software delivery is reduced through eliminating the need to retrofit security controls post-development.
  • Speed of remediation is enhanced in the case of a security incident by utilising templates and pet/cattle methodology.
  • Security auditing, monitoring, and notification systems are managed and deployed via the same methodology as software. In this way, they can be continuously enhanced, to keep in step with the frantic innovation intrinsic to cybercrime.
  • Greater visibility of security posture and increased understanding between development and security resources as the CAMS Model (Culture, Automation, Measurement, Sharing) is applied to security practices.

Enabling greater overall business success

  • DevSecOps improves the speed in adoption of new technologies, such as cloud infrastructure. This helps reduce the use of deprecated and increasingly vulnerable software and hardware.
  • Improving overall security posture as a culture of shared responsibility is created by the integration of security practices into DevOps. The Snyk/Puppet 2020 DevSecOps Insights Report found this to be the case in mature DevSecOps organizations.
  • Greater trust in the security of developed software and embracing new technologies enables enhanced revenue growth and expanded business offerings.
  • Endorsed at board level, DevSecOps practices foster a culture of openness and transparency beyond just the development, security, and operations practitioners
  • Reduced friction between development and security as a culture of collaboration is cultivated and practitioners across disciplines work to enable each other.