DevSecOps - inviting security to the DevOps party
DevSecOps is a concept of injecting security tests and controls into the early stages of the software development life cycle (SDLC) for an application or infrastructure if it is deployed in an automated manner (Infrastructure as a code). This approach allows organisations to detect security defects and address any concerns earlier in the process. It is also called shifting left as it involves security from day one rather than waiting till the last stage just before deployment to production which is very common with the waterfall deployment model.
DevSecOps contains the following pillars
- Technology (Tools)
People are the most important and challenging element to enhance as it includes changing the mindset that security is everyone’s responsibility. It is crucial to ensure that all teams share a common goal and that communication is clear and effective. Everyone is encouraged to take ownership of security through training and championing programs. Strong feedback loops ensure teams and individuals can work collaboratively and improve cohesively.
Processes are the second element most difficult to implement as they require a change to the internal processes. Well-defined processes are key to implementing a modular architecture, providing flexibility in selecting tools and defining security quality gates to assess software and infrastructure based on defined requirements. It will also enable an organisation to set measurable goals and improve its ability to quickly contain and react to security incidents.
Technology (Tools) is the most tangible and easiest-to-implement element. Tools are an integral part of DevSecOps, with a wide range available on the market from enterprise to open-source solutions, it is plenty to choose from. Thanks to automation it allows checking compliance and validation to scale without significant impact on costs and timings. However, tools alone are not a recipe for a successful DevSecOps program. It can only be achieved with all elements deployed.
Why is it worth it and what’s in it for you?
- Enhanced security
- Quicker deployment
- Cost reduction for fixing security defects
There are several benefits of implementing a DevSecOps program and shifting security left. It very much depends on the organization’s priorities however cost reduction and speed of fixing security defects are the most compelling arguments. According to the NIST report, it can be 30 times cheaper to improve code in the early stage of the development process.
What do you need to start?
- DevOps processes and pipelines in place (or at least a roadmap to implement it)
- Desire to shift left security and put security in hard of your SDLC
DevSecOps program can be implemented gradually through your automated CI/CD pipelines, however, DevOps processes have to be in place to use it as a foundation.
How can I help?
- Assessment (based on OWASP SAMM and DevOps process review)
- Road map (processes and tooling)
If you need help with implementing a DevSecOps program and adding a security twist to your DevOps CI/CD pipelines get in touch.