Why a solid DevOps foundation is vital for effective DevSecOps

As DevOps adoption has grown, organizations are pushing code into production faster than ever. However, the fast pace of DevOps has led many developers to view security as a bottleneck or afterthought, which means security teams need a new approach to keep up. 

Enter DevSecOps, the natural extension of DevOps. The most obvious and almost cliché way to describe DevSecOps is to talk about “shifting left,” so security testing is incorporated into the software design and delivery process early in the lifecycle. But that would be like saying DevOps is merely about automation. The actual desired outcome of DevOps is faster and more frequent software delivery, while also improving the developer experience and reducing the risk of burnout. Similarly, DevSecOps is more than just shifting tools left, and needs to support the software delivery goals and reduce the burnout from security fatigue.

This is why adopting DevSecOps to reduce risk and deliver software faster requires a solid DevOps foundation. By understanding the role of DevOps and development teams in secure software delivery and empowering them with the right automated tools, businesses can improve the maturity of their application security programs. 

The role of DevOps in DevSecOps

Much like the collaborative model of DevOps, establishing a successful DevSecOps framework starts with a shared responsibility for application security among developers, operations, DevOps/platform teams, and security professionals. However, DevOps teams are uniquely positioned to apply security breadth and depth because they are deeply involved with both development and operations processes. They understand the need to streamline and provide software teams with a great experience, the list of tools in use and integration points, and how software is ultimately delivered to production, all of which are also critical when implementing DevSecOps. The growth of developer portals and platforms, often led by these platform teams, is another point of potential integration for security tools.

A mature DevSecOps practice should also consider all parts of an application architecture, including the infrastructure and the security of the pipelines. Modern DevOps teams are increasingly responsible for securing parts of the application, as reliance on containerization and infrastructure as code (IaC) to deploy and manage software continues to grow. That’s why DevOps teams need to prioritize integrating security into their existing infrastructure management workflows as part of a new DevSecOps framework. 

Security within the software development lifecycle 

Along with DevOps teams, it’s important to empower developers to take on many security tasks independent of the security team within the software development lifecycle (SDLC). This enables a secure software development lifecycle (SSDLC), where security is included in every stage of the delivery process.

As the speed of innovation and frequency of releases has accelerated, it’s no longer enough to put off security until the end of a development cycle. This means security needs to be in the scope of developer responsibilities to catch vulnerabilities early and avoid bottlenecks. But it also necessitates considering how issues and remediation guidance are presented to developers. Ideally: 

1. Developers should be able to stay within the same tools they use every day. 

2. The issues they’re asked to remediate should clearly explain the rationale for requiring their attention

3. The remediation actions be readily available (i.e., automated with a simple click). 

Integrating DevSecOps into delivery pipelines

Most modern DevOps organizations have already implemented a form of continuous integration and deployment (CI/CD). This automated pipeline can be leveraged to lay the foundation for DevSecOps and reduce the security burden for both DevOps and development teams.

Automating security can start with shifting left to the point when developers write and check in code. Continuous integration processes typically involve automated builds and tests after code commits, and static application security testing (SAST) can also be included to check for potential security issues within the source code. Most SAST solutions scan the code and compare it to application security best practices and vulnerability databases to help developers get early feedback. This includes IaC testing, a specialized form of SAST testing, and secrets detection, which applies to the code but also IaC and pipeline configurations.

Software composition analysis (SCA), including container scanning, can also be automatically performed during this stage to verify that open source dependencies are free of vulnerabilities. This has become even more important as development teams adopt more third-party, open source components, with some estimates suggesting that up to 90% of a modern application is open source code. These new software supply chains greatly increase the potential attack surface of an application and require additional security considerations. Beyond just testing, which is always somewhat reactive in nature, a mature DevSecOps program should also guide developers to make safe choices up front, which requires cross-team cooperation to understand software architecture and security requirements, plus education to ensure teams understand secure-by-design principles.

DevSecOps in Production

An important principle of DevOps is that software teams remain involved after code is shipped, and DevSecOps needs to extend this principle. Testing code and the full application stack before delivery is critical, but not all issues are preventable in this way. Zero days will happen; application architectures change, which might open up new attack vectors. 

There are many cloud and runtime security tools available that do an excellent job of mapping threat vectors and monitoring for attacks, and while all of this information is likely overwhelming for a developer, it is absolutely useful for determining which issues require urgent attention. Bridging the world of application security and cloud/runtime security to reduce risk in running applications is a requisite feature of a mature DevSecOps program. 

Laying the DevSecOps foundation with Snyk

While “shifting left” and adding security into DevOps processes are fundamental pieces of DevSecOps, the key outcomes of DevOps—fast, frequent releases and reduced developer burnout—are just as critical to consider in a DevSecOps practice. By choosing the right security tools that easily integrate into existing development and DevOps workflows, you can reduce friction during adoption and scale security across the entire organization.

Snyk is a developer-first security platform that can help you integrate DevSecOps practices into every stage of the SDLC. Snyk AppRisk bridges the world of application security and cloud security, providing a holistic view of risk that is key to helping developers understand what needs to be fixed. Snyk Code and Snyk Open Source empower developers in their IDEs, repositories, pull/merge requests, and more through CI/CD, while Snyk Container and Snyk Infrastructure as Code bring security to platform teams.

Schedule a demo today to discover how Snyk can help lay your DevSecOps foundation.