DevSecOps integrates an organization's security team into the traditional DevOps organization. While DevOps integrates software development and production teams to produce bug-free applications, DevSecOps takes the added step of ensuring those applications are secure. The goal of DevSecOps is to embed security checks into every aspect of software development and production, adding another layer of prevention against data breaches and cyberattacks.
Application security is a critical, but often overlooked, part of the software development process. Security review and testing traditionally happens at the end of a development cycle, when the code is already written, compiled, and ready for production. Separating security testing from the rest of the development process is not practical in a world of continuous cyberattacks and creative hackers who constantly invent new ways of penetrating applications and accessing confidential data.
In addition, cloud computing enables employees to spin up extra servers or storage capacity without the knowledge of IT security personnel. Confidential data may then be stored on misconfigured and unprotected public environments.
Another problem is that security personnel may not know about updates to application code, some of which may pose major security implications. A paper by 451 Research, “Refocusing Security Operations in the Cloud Era,” reports that software development teams often fail to inform security operations teams about updates, such as a new version of a component that incorporates different libraries or business logic.
Lastly, IT security personnel may lack subject matter expertise in the organization’s technologies, such as specific databases and applications. Because of this, security personnel may fail to identify subtle but potentially dangerous vulnerabilities in the code or be unable to fix problems that arise.
The merger of development, production, and security operations provides benefits to all three teams. Production employees gain more secure applications with fewer data breaches. Developers can work without fearing that a final security review will surface major problems and impede the application’s release. The security team gains knowledge of DevOps best practices, faster security reviews, and more positive interactions with development and production colleagues.
The DevOps model emphasizes automation, continuous feedback and testing, early bug detection, a regular schedule of code releases, and collaboration between all personnel. The benefits of adding security to the DevOps process include:
Merging security with DevOps requires changes to traditional IT security processes and work culture. Below are guidelines for developing a successful DevSecOps team:
Develop shared goals. Development and security teams have, in the past, aimed to meet different, usually conflicting, performance goals. Developers may view security as an obstacle to quickly producing code, while security personnel may consider developers’ focus on speedy deployment a threat to prudent security. For DevSecOps to work effectively, the teams need complementary performance objectives.
Adopt security automation tools. Security reviews are often conducted manually and may be constrained by the need to quickly deploy the application. Manual security testing and review slows the development cycle and may fail to identify some code vulnerabilities. Automated security testing tools are faster, more thorough, and compatible with DevOps workflows. Two types of automated testing solutions—static application security testing (SAST) and dynamic application security testing (DAST)—aid thorough security testing. SAST tools analyze source code and provide continuous feedback on code updates. DAST tools can detect potential problems in a compiled application during the quality assurance (QA) stage. Both tools are helpful in identifying vulnerabilities early in the development process without slowing the release cycle.
Select core security standards. An IT security team may have adopted many different security standards and protocols over the years. However, automating security standards requires reducing their number. Identify the core standards for different IT activities. For example, adopt a single content encryption standard. In addition, use pre-built compliance templates to simplify compliance with government security requirements. Focusing on a few core security requirements facilitates automation and enforcement.
Streamline team applications. Development, production, and security teams each have their favorite applications and tools. Merging the teams multiplies the number of tools, some of which serve the same functions. In addition, not all these tools are compatible. For example, security tools may not support cloud applications, and development tools may not incorporate adequate security testing features. Reducing and standardizing DevSecOps tools promotes a more collaborative development and testing process. It also enables team members to acquire deep expertise in a few tools rather than cursory knowledge of many tools.
Build security into the infrastructure with a SIEM. An organization may have multiple tools that generate alerts and updates on security threats. This information can be helpful to the security, development, and production teams, but may be hard to access. A security incident and event management (SIEM) system collects, analyzes, and centralizes all this information. A SIEM receives information from multiple sources, including servers, network hardware, and the various security monitoring products in the organization. This central collection point for threat intelligence provides the DevSecOps teams with valuable insight into potential application vulnerabilities.
Provide all team members access to security data. In DevSecOps, security isn’t just the concern of the security team. All team members need access to data about security vulnerabilities. The addition of a SIEM helps in centralizing this data and making it available in a cohesive manner. The next step is ensuring that all the DevSecOps personnel can view the data. A SIEM dashboard, customized to each team member’s role, is one option. An alternative is to post security updates to a collaborative application to which all team members subscribe. A collaborative application can also provide a platform for personnel to share concerns about vulnerabilities or alerts from security agencies.
Encouraging collaboration between traditionally separate teams is often the most difficult aspect of DevSecOps. Many developers, production staff, and security professionals are accustomed to working separately with their own tools and information sources. An organization can establish an effective and successful DevSecOps team by: