What is DevSecOps?
DevSecOps is a software development practice that adds cybersecurity (Sec) to DevOps, which is itself a combination of software development (Dev) and IT operations (Ops). Before the advent of DevOps, developers wrote code and turned it over to IT operations teams, which handled the process of deploying it onto production systems. As agile software development methodologies accelerated the pace of software code releases, these handoffs between organizations became unmanageable. To solve the problem, DevOps unified the development and deployment processes, along with the respective teams who handled the work.
The difficulty is that security does not disappear just because DevOps has sped up the process of writing and releasing code. If anything, the faster pace of development creates more security risk for applications. The chance that a vulnerability or malicious code will make it into production gets greater with DevOps.
DevSecOps offers a solution. It integrates security measures into each stage of the DevOps software development lifecycle (SDLC)—making security part of the continuous integration/continuous delivery (CI/CD) pipeline. Working with DevSecOps, developers, QA team members, and IT operations staff can attend to security issues as they arise. This is an improvement over the previous practice of introducing security steps late in the SDLC.
How does DevSecOps work?
To understand how DevSecOps work, it’s first necessary to grasp how the DevOps workflow operates. There are of course many ways to implement DevOps. It’s an approach to software development, not a standard or a product. Indeed, DevOps is often depicted as an infinite loop that incorporates a wide variety of tools and practices. However, most DevOps teams use a five-stage CI/CD pipeline approach, into which DevSecOps embeds security:
- Code—In coding, DevSecOps works to ensure that open-source code components do not contain known vulnerabilities or include malware, both of which are unfortunately common problems. At this stage, QA testers may run security tests on the source code as well as on application programming interfaces (APIs) connected to the application.
- Build—At the build stage, DevSecOps applies controls that mitigate risks related to operating systems, application dependencies, and more.
- Prep—Before the Ops team deploys the code, DevSecOps takes steps to ensure that the application complies with the organization’s security policies. For example, if policy dictates that data must be encrypted in transit, DevSecOps should include a check to make sure this is occurring.
- Deploy—Vulnerabilities or security-related misconfigurations need to have been identified and remediated prior to deployment.
- Run—When the application is in production, DevSecOps needs to apply monitoring to catch threat signatures as well as anomalies that indicate that an attack is underway.
DevOps vs DevSecOps
It’s not entirely accurate to say that DevSecOps is simply DevOps with security measures thrown in. A DevOps process, on its own, almost always contains some security steps. The issue is how and where they are placed in the DevOps workflow. If DevOps isolates security as a discrete step at the end of the development process, that is not DevSecOps. There is security, for sure, but it’s not an optimal situation.
The implication of DevSecOps is that it’s DevOps, with security added as an integrated, collaborative part of the entire workflow. Security exists at each stage in the SDLC. It’s not, to borrow a phrase from the old days of coding, “thrown over the wall.” It’s important to note, however, that DevSecOps also implies the use of special tools and automation.
Benefits of DevSecOps
DevSecOps delivers two interrelated benefits: It speeds up the development of secure software. And, the software itself is more secure than it would have been under traditional development workflows. On the first point, security almost always slows down the cycle of developing, testing, and releasing software. If security steps come later in the cycle, the slowdown is all the more pronounced. In the worst case, if security teams detect vulnerabilities or the presence of malicious code after deployment to production, that results in a long, costly, and potentially public remediation process.
Fixing security problems in software was also traditionally a point of friction between developers and security teams. Developers might have an “it’s not my job” attitude about security and resent the intrusion and task-switching involved in rewriting insecure code. This dynamic, coupled with security’s tendency to slow things down, often led to security being de-emphasized or ignored outright—a move that negatively affected security posture.
DevSecOps reduces the likelihood of this outcome. With the ability to streamline and automate security in the DevOps CI/CD workflow, DevSecOps makes it possible to execute more security tests and controls on software before it reaches production. The resulting software should be more secure than code produced in the traditional way. In production, DevSecOps enables more rapid patching of vulnerabilities. This will occur if the DevSecOps workflow includes vulnerability scanning, including the ability to identify and patch common vulnerabilities and exposures (CVEs).
Why DevSecOps matters
DevSecOps matters today because of a dangerous confluence of trends in technology. As software development and releasing speed up, the cyber threat environment grows more serious. More code is exposed to ever-graver threats. It’s not a good combination for today’s businesses, many of which depend on software for strategic differentiation and their overall business models. They cannot accept high levels of risk exposure. DevSecOps is a necessity in this context.
Security has always been important for organizations that create software. The need for security is only getting more intense, however, as malicious actors grow in sophistication. At the same time, software makers face pressure to release code at a faster pace than ever before. This requirement is potentially at odds with security, but DevSecOps offers a way forward. With DevSecOps, software makers can execute a rapid SDLC while maintaining a strong security posture.