What is DevSecOps?
DevSecOps—short for development, security, and operations—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
DevSecOps represents a natural and necessary evolution in the way development organizations approach security. In the past, security was 'tacked on' to software at the end of the development cycle (almost as an afterthought) by a separate security team and was tested by a separate quality assurance (QA) team.
This was manageable when software updates were released just once or twice a year. But as software developers adopted Agile and DevOps practices, aiming to reduce software development cycles to weeks or even days, the traditional 'tacked-on' approach to security created an unacceptable bottleneck.
DevSecOps integrates application and infrastructure security seamlessly into Agile and DevOps processes and tools. It addresses security issues as they emerge, when they're easier, faster, and less expensive to fix (and before they are put into production). Additionally, DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo. It enables “software, safer, sooner”—the DevSecOps motto–by automating the delivery of secure software without slowing the software development cycle.
Benefits of DevSecOps
The two main benefits of DevSecOps are speed and security. Development teams deliver better, more-secure code faster, and, therefore, cheaper.
“The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required,” describes Shannon Lietz, co-author of the “DevSecOps Manifesto.”
Rapid, cost-effective software delivery
When software is developed in a non-DevSecOps environment, security problems can lead to huge time delays. Fixing the code and security issues can be time-consuming and expensive. The rapid, secure delivery of DevSecOps saves time and reduces costs by minimizing the need to repeat a process to address security issues after the fact.
This becomes more efficient and cost-effective since integrated security cuts out duplicative reviews and unnecessary rebuilds, resulting in more secure code.
Improved, proactive security
DevSecOps introduces cybersecurity processes from the beginning of the development cycle. Throughout the development cycle, the code is reviewed, audited, scanned, and tested for security issues. These issues are addressed as soon as they are identified. Security problems are fixed before additional dependencies are introduced. Security issues become less expensive to fix when protective technology is identified and implemented early in the cycle.
Additionally, better collaboration between development, security, and operations teams improves an organization’s response to incidences and problems when they occur. DevSecOps practices reduce the time to patch vulnerabilities and free up security teams to focus on higher value work. These practices also ensure and simplify compliance, saving application development projects from having to be retrofitted for security.
Accelerated security vulnerability patching
A key benefit of DevSecOps is how quickly it manages newly identified security vulnerabilities. As DevSecOps integrates vulnerability scanning and patching into the release cycle, the ability to identify and patch common vulnerabilities and exposures (CVE) is diminished. This limits the window a threat actor has to take advantage of vulnerabilities in public-facing production systems.
Automation compatible with modern development
Automation of security checks depends strongly on the project and organizational goals. Automated testing can ensure incorporated software dependencies are at appropriate patch levels, and confirm that software passes security unit testing. Plus, it can test and secure code with static and dynamic analysis before the final update is promoted to production.
A repeatable and adaptive process
As organizations mature, their security postures mature. DevSecOps lends itself to repeatable and adaptive processes. This ensures security is applied consistently across the environment, as the environment changes and adapts to new requirements. A mature implementation of DevSecOps will have a solid automation, configuration management, orchestration, containers, immutable infrastructure, and even serverless compute environments.
Best practices for DevSecOps
DevSecOps should be the natural incorporation of security controls into your development, delivery, and operational processes.
'Shift left' is a DevSecOps mantra: It encourages software engineers to move security from the right (end) to the left (beginning) of the DevOps (delivery) process. In a DevSecOps environment, security is an integral part of the development process from the beginning. An organization that uses DevSecOps brings in their cybersecurity architects and engineers as part of the development team. Their job is to ensure every component, and every configuration item in the stack is patched, configured securely, and documented.
Shifting left allows the DevSecOps team to identify security risks and exposures early and ensures that these security threats are addressed immediately. Not only is the development team thinking about building the product efficiently, but they are also implementing security as they build it.
Security is a combination of engineering and compliance. Organizations should form an alliance between the development engineers, operations teams, and compliance teams to ensure everyone in the organization understands the company's security posture and follows the same standards.
Everyone involved with the delivery process should be familiar with the basic principles of application security, the Open Web Application Security Project (OWASP) top 10, application security testing, and other security engineering practices. Developers need to understand thread models, compliance checks, and have a working knowledge of how to measure risks, exposure, and implement security controls
Culture: Communication, people, processes, and technology
Good leadership fosters a good culture that promotes change within the organization. It is important and essential in DevSecOps to communicate the responsibilities of security of processes and product ownership. Only then can developers and engineers become process owners and take responsibility for their work.
DevSecOps operations teams should create a system that works for them, using the technologies and protocols that fit their team and the current project. By allowing the team to create the workflow environment that fits their needs, they become invested stakeholders in the outcome of the project.
Traceability, auditability, and visibility
Implementing traceability, auditability, and visibility in a DevSecOps process leads to deeper insight and a more secure environment:
- Traceability allows you to track configuration items across the development cycle to where requirements are implemented in the code. This can play a crucial part in your organization’s control framework as it helps achieve compliance, reduce bugs, ensure secure code in application development, and help code maintainability.
- Auditability is important for ensuring compliance with security controls. Technical, procedural, and administrative security controls need to be auditable, well-documented, and adhered to by all team members.
- Visibility is a good management practice in general, but very important for a DevSecOps environment. This means the organization has a solid monitoring system in place to measure the heartbeat of the operation, send alerts, increase awareness of changes and cyberattacks as they occur, and provide accountability during the whole project lifecycle.
DevSecOps and IBM
IBM has a suite of DevSecOps-ready tools and services to enable secure continuous delivery, integrated security testing, and cloud native delivery pipelines.
IBM’s Urban Code helps IBM customers automate software deployment, gain control over complex release cycles, speed the release process, and improve product quality.
Learn more about how IBM can support your DevSecOps practices and sign up for a free IBM Cloud account today to get started with the IBM Cloud Pak for Applications.