DevSecOps: security for development and IT operations

What is DevSecOps and why should I care?

DevSecOps (development, security, operations, sometimes also called SecDevOps) integrates the topic of application security into the DevOps process. Hence agile software development meets the current challenges of cyber security. By automating and creating a security-as-code culture, collaboration between teams shall remain remain flexible while security will be continuously improved.

What is DevOps?

Before we try to understand the term DevSecOps, we need to understand “DevOps.” What does this widespread term mean? It is almost as vague as “cloud”. Every modern business needs it, but is it something you can simply order and get delivered? We understand DevOps as the interdisciplinary collaboration between developers and software operators that allows a rapid and systematic development and delivery of applications. Our understanding of DevOps is explained in detail in “What is DevOps – what does VSHN do?”

Origin and the meaning of DevSecOps

Just as in the traditional separation of Devs and Ops, security has traditionally been the task of a detached team or individuals. Security concerns were thus considered outsourced and rather down the line in development. Security as a silo, so to speak. Security specialists are good in detecting security holes, but within a traditional environment they rarely understand how modern software development teams – an agile DevOps organization – work together.

In order to fully exploit the agility and responsiveness of DevOps while increasing application security, security has to be an integral part of the lifecycle and must be included from the beginning.

To underline the ever-increasing importance of cybersecurity, the term DevSecOps has been formed:

DevSecOps means that everyone involved in the software development process is responsible for security and continuously improves and automates and integrates it into the development process right from the beginning.

Incorporate security into your DevOps workflows right from the beginning

What sounds like a matter of course, was (and is) not always the case. The classic developer is more concerned about the functionality than about the security of an application. In addition, new technologies such as container platforms (e.g. Docker) and microservices are, despite the many benefits such as the continuous delivery of code, leading to new problems and security concerns, as ever-shorter release cycles can no longer withstand manual testing.

DevSecOps should lead to a rethinking by integrating IT security and security features wherever possible into the automation workflows. The integration of existing security teams and employees and an associated cultural change is just as important as the selection of the right security tools.

With the DevSecOps approach, security should be integrated right from the start and should not be added later or considered after the development is completed. Development, IT operations and security teams need to be made aware of information security and pull together. Transparency, continuous feedback, and mutual insights are just as important as sharing known threats and vulnerabilities. For developers, this often requires rethinking because these processes were not always part of application development.

DevSecOps automation = automation of security

A successful adoption of DevSecOps principles requires the automation of repetitive tasks and checks, as manual security checks take a lot of time and are more prone to errors.

Technologies that facilitate DevSecOps include containers and microservices: DevOps security practices need to be customized as they are not suitable for static or manual testing. Information security must be integrated throughout the whole application cycle and has to be continuously improved. Modern agile teams already use automated validation and test points within the DevOps pipelines to increase application and code security while enabling fast release cycles. If the tests and checks can not be integrated into the CI/CD pipelines, the development process is likely to bypass the security audit, which in turn can lead to security vulnerabilities.

DevSecOps makes security an integral part of the entire development process. DevOps teams must incorporate security from the beginning and automate it as much as possible so they can to continuously test and protect all data, microservices, container, and CI/CD processes. Integrated testing should provide the team with an overview in real time and vulnerabilities and bugs can be quickly identified and closed.

Conclusion: security is more important today than ever

Almost daily reports about cyber attacks, security holes, data losses and lax security standards of large corporations remind us again and again how important security is today. Security should be a standard repertoire in DevOps teams, and with today’s approaches and tools, the overhead is usually manageable.

Due to the short development cycles nowadays, it is possible to test earlier and thus also recognize problems earlier. The integration of application security therefore also means using security and testing tools from the early development process and not just in the live operation of the application.

Is DevSecOps worth it?

Of course, the integration of security into the DevOps process means more effort (than not to do it), but in the long run, the investment pays off. Agility and security can not only be combined, they even can benefit from each other, if the team lives transparency, openness and the sharing of know-how. And at least since the negative headlines from the recent past, everyone should be clear about just how important security is.

SIGS DevSecOps Forum

Aarno, our CTO, held a talk about Continuous (Security) improvement in the DevOps process on the SIGS DevSecOps Forum on December 4th 2018 at Mobiliar in Bern.

VSHN_DevSecOps_SIGS_Bern_Aarno_Aukia_2018_2

VSHN_DevSecOps_SIGS_Bern_Aarno_Aukia_2018_1

You can find the slides of Aarno’s talk here:

Related links

In agile software development, there is also the term “shift to the left”, which means moving the validation to earlier stages of development (see DevSecOps.org).

Or security is treated as a customer feature rather than adding non-functional requirements to the product backlog (Michele Chubirka aka “Mrs. Y” on postmodernsecurity.com).

What do you think about DevSecOps?

What does DevSecOps mean to you? Is it already the new standard or just another step on the way to GitOps? We would be very happy to receive your feedback on the topic, via @vshn_ch, mail or the contact form below.