DevOps security refers to the discipline and practice of safeguarding the entire DevOps environment through strategies, policies, processes, and technology. Security should be built into every part of the DevOps lifecycle, including inception, design, build, test, release, support, maintenance, and beyond.
When it comes to creating, releasing, and maintaining functional software, most organizations have a well-oiled machine in place.
However, when it comes to securing that software, not so much. Many development teams still perceive security as interference-—something that throws up hurdles and forces them to do rework, keeping them from getting cool new features to market.
But unsecured software puts businesses at increasing risk. Cool new features aren’t going to protect you or your customers if your product offers exploitable vulnerabilities to hackers. Instead, your team needs to integrate security into the entire software development life cycle (SDLC) so that it enables, rather than inhibits, the delivery of high-quality, highly secure products to the market.
A software development life cycle (SDLC) is a framework for the process of building an application from inception to decommission. Over the years, multiple SDLC models have emerged—from waterfall and iterative to, more recently, agile and CI/CD, which increase the speed and frequency of deployment. Thus, integrating security into the entire software development life cycle would be represented in a diagram like the following:
In the past, organizations usually performed security-related activities only as part of testing—at the end of the SDLC. As a result of this late-in-the-game technique, they wouldn’t find bugs, flaws, and other vulnerabilities until they were far more expensive and time-consuming to fix. Worse yet, they wouldn’t find any security vulnerabilities at all.
The Systems Sciences Institute at IBM reported that it costs six times more to fix a bug found during implementation than one identified during design. Furthermore, according to IBM, the cost to fix bugs found during the testing phase could be 15 times more than the cost of fixing those found during design.
So it’s far better, not to mention faster and cheaper, to integrate security testing across the SDLC, not just at the end, to help discover and reduce vulnerabilities early, effectively building security in. Security assurance activities include architecture analysis during design, code review during coding and build, and penetration testing before release. Thus, a diagram is often used to represent this
Here are some of the primary advantages of a secure SDLC approach:
Generally speaking, a secure SDLC involves integrating security testing and other activities into an existing development process. Examples include writing security requirements alongside functional requirements and performing an architecture risk analysis during the design phase of the SDLC.
DevSecOps automatically bakes in security at every phase of the software development lifecycle, enabling development of secure software at the speed of Agile and DevOps.
DevSecOps makes application and infrastructure security a shared responsibility of development, security, and IT operations teams, rather than the sole responsibility of a security silo.
DevSecOps—short for development, security, and operations—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
The IBM DevOps Intelligence Console is designed to integrate the security feature across all DevOps stages. the Secure dashboard has the purpose of providing visibility of key security components such as Static Scan and Open Source License Compliance. For more information, go to: Secure Dashboard