Putting DevOps into practice has allowed companies to accelerate their software delivery while ensuring that critical aspects of development and operations are addressed. I will explain how security is added to this methodology and discuss DevSecOps.
What is DevSecOps?
The DevOps method eliminated the ops bottleneck in the delivery circuit, enabling faster deployment to production. It also improved the operations feedback loop, giving developers more control over their production code. However, more immediate delivery can also mean the faster deployment of security vulnerabilities.
This forces the organization to rethink its security policies, responding to the need for constant monitoring of security vulnerabilities while preventing this monitoring from becoming a bottleneck.
Therefore, DevSecOps is an extension of the DevOps approach, which considers security a shared responsibility that must be integrated into the development process.
It can be seen simply as “DevOps done right”: the collaborative working model of DevOps aims to create a culture that brings developers and ops together to break down silos. DevSecOps adds the security team to the discussion to enable fast, efficient, and secure software delivery.
In essence, DevSecOps aims to:
- foster collaboration between DevOps and security teams
- implement a principle of security as a Code and integrate security concerns into the software development process
How to adopt a DevSecOps approach?
To adopt a DevSecOps approach, you will need to focus on 3 axes: people, process, and technology.
No investment in training and tools will allow your organization to move to a DevSecOps approach if the people at the heart of this collaboration are not interested.
The first step is to designate a volunteer “security champion” in each team. This person is a developer interested in strengthening the company’s security posture but does not necessarily have a background in it.
He will be the referent for the security choices in the team, in charge of raising the questions related to security during the definition of the backlog. He will answer the questions of the team in terms of security.
The second step is to create a network of security champions within the organization. The aim is thus to share their knowledge and answer questions from others, for example, in the form of a security guild. In large organizations (more than ten teams), security advocate roles can emerge from security champions to add a layer of coordination and expertise.
Security issues will move up Andon’s chain from the team to the security champions/advisors, and finally to the security team if necessary.
This system ensures that each lawyer learns as much as possible about the problems encountered. This allows for continuous improvement (kaizen), increasing awareness of security issues, and reducing the time it takes to resolve them.
The results driven by the DevSecOps approach are made possible by modifying existing processes to enable collaboration between DevOps and security teams.
In particular, the measures that will have the most impact on your organization are:
- collaborative work sessions with DevOps and security teams on enterprise vulnerability patterns
- regular auditing of automated tests by security experts
- The inclusion of security features in the software delivery backlog:
- Include a feature security assessment in the “definition of ready” (list of prerequisites for a task).
- Include a green light given by the automatic security test tools in the “definition of done” (list of validation criteria for a task).
More generally, developing the DevSecOps process is an iterative effort. It starts with the experimentation of a collaborative process between the two teams at a given software delivery stage. It is followed by the supervision of the agreed process resulting from this experimentation and, finally, by a safety audit of the established standard process.
This process can then be applied by various teams in various contexts and refined according to the principles of agile methodology. Using a standard method reduces the risk of introducing security vulnerabilities into the methodology.
Adopting a DevSecOps approach involves adding a variety of security solutions and best practices to the DevOps toolkit.
First, you want to automate security at all stages of software delivery. To do this, you need to add security tools to your CI/CD pipeline, such as:
- automated security testing
- DAST/IAST/SAST sequences
- vulnerability checks
- logging and monitoring tools
Next, you want to build security by design into your governance. To do this, you must implement standards and best practices, such as:
- OWASP standards
- Secure Coding Practices
- Enabling TLS (Transport Layer Security) encryption by default
- force API authentication for all clients (including nodes, and proxies…)
What benefits can my organization expect?
First, adopting a DevSecOps approach improves the overall security of your product. This increases the quality and robustness of the latter.
Moving vulnerability controls the margins and then allows your organization to discover and fix them at an early stage. This results in less stressful and less complex corrections, as well as a reduction in the costs incurred.
Finally, integrating security into the delivery process also strengthens your security posture and allows more frequent deployments with fewer manual operations: 61% of organizations with a mature DevSecOps culture say they can deploy on demand, compared to 46% (see Puppet’s 2019 State of DevOps report) on average.
By removing the security bottleneck, adopting a DevSecOps approach accelerates your product delivery, as well as security and compliance-related transformations.
DevSecOps is a culture that sees collaboration between development, operations, and security teams as the foundation for efficient and robust product delivery.
Its implementation requires a change in culture, technology, and process. But it represents a step towards greater collaboration between project stakeholders and the use of automation to ensure that security practices are built into the product by default.
Along with better security for the product itself, a DevSecOps approach also allows for better cooperation, faster product delivery, and increased confidence in the overall security posture.