DevOps offers a great culture that bridges the gap between the development and operation teams while boosting the frequency of delivery. But if you want to leverage the responsiveness and agility of DevOps, IT security must be integrated into the full cycle of your software development process.
Why should you integrate security into DevOps?
With the goal of continuous delivery and agility in DevOps, it has become difficult for security teams to keep pace with the development process. Additionally, DevSecOps promotes the idea of shared responsibility for security throughout the development process.
By integrating security into DevOps, enterprises can build a DevSecOps culture that helps them address security threats and challenges more effectively, in real-time.
DevSecOps calls for two goals:
• Secure applications
• Rapid delivery
Building a DevSecOps approach requires a cultural and technical shift where it is important to view security teams as a valuable asset that helps mitigate risks and explore potential weaknesses in the software rather than a hindrance to agility.
For instance, the early detection of vulnerabilities and security defects enables organizations to find remediations before those vulnerabilities are exploited at a later stage in the production or deployment environment.
Also Read: Computer Scientist Eyes How to Help Software Developers Write Better Code
Exploring a DevSecOps Workflow
DevSecOps is a natural response to the bottleneck effect of traditional security models on the present-day continuous delivery pipeline.
The need to incorporate security into DevOps practices to identify potential vulnerabilities and weaknesses early in the software development lifecycle (SDLC) is a growing movement.
A DevSecOps workflow ensures flaws and weaknesses are detected early.
How?
Through monitoring, assessment, and analysis so that proper remediation steps can be taken far earlier than the traditional efforts.
The goal is to bring the IT and security teams together while ensuring better, safe, and fast delivery of code. Yes, shift security to the left.
Example of DevSecOps Workflow
Here is a quick DevSecOps workflow that will help you understand the process better:
- The security team works with designers to perform threat modeling and develop security requirements.
- The security team reviews requirements and determines what level of review is required for each item.
- The development team creates the code and tests, which are managed by a control system unit like Git.
- Jenkins extracts the code from the repository, and then builds and runs unit tests along with static code analysis to identify security defects and code quality issues.
- An Infrastructure-as-code (IaC) tool such as Chef, provides an environment for deploying the application and applies security configurations to the system.
- Once the application has been deployed, Jenkins runs a test automation suite against the newly-deployed application, including integration, UI (User Interface), security tests (static analysis and dynamic analysis), API (Application Programming Interface), and back-end.
- If items are flagged for manual security review, those are reviewed.
- If no security defects are detected in the application, it is then deployed in the production stage using the same IaC tool as used in the previous environments.
- Tools like Splunk and New Relic are used to continuously monitor the production environment to identify active cybersecurity threats.
What Are the Benefits of DevSecOps?
The benefits of DevSecOps include:
- Eliminates the silos between development, operations, and security teams
- Helps organizations identify potential vulnerabilities early in the software development lifecycle
- Provides faster delivery with better quality through automated testing
- Contributes business value through improved operations with diminished security threats
- Reduces the investment of resources required to combat threats identified late in the production or delivery process by early identification of potential vulnerabilities
DevSecOps is More Than Automation
A DevSecOps environment employs tools that automate continuous integration, testing, monitoring, delivery, and deployment. But automation isn’t the only critical aspect of DevSecOps.
It is just as important to create a model that relies on “shifting security left” which typically involves engaging the security team early in the software development and operations process.
What’s more?
The DevSecOps approach promotes security as a shared responsibility of everyone, without compromising on the privacy, safety, and quality required by the system.
What else do you need to know?
While it is possible to quickly integrate automated tools into your software development and operations workflow, it isn’t an overnight task to change an entire organization’s culture and mindset.
Building a DevSecOps culture takes time, hard work, patience, training and coaching across the organization.
DevOps with Security Can Deliver More Secure Software
Collaborative Development
DevSecOps is an approach to software development that focuses on the collaboration between the development, operations, and security teams.
What is the goal?
To maintain security while reducing the time to market and enhancing agility by rapid deployments and rollouts.
Many companies regularly push out software updates into production every day. Not all of these updates are major new features or security updates.
Rather, they’re usually just additional changes to code in response to user feedback, configuration issues, changing business needs, or many other factors.
A DevSecOps approach enables teams to perform automated testing on small pieces of the software at the unit level as well as at the integration level.
It allows security teams to be involved in the development, operations and deployment process of updates, irrespective of their size, complexity, or impact. This helps create software and applications that are overall more secure.
Shifting Security to the Left
DevOps emphasizes continuous software delivery and updates.
However:
For security teams, this complicates the work of performing security routines such as doing code analysis on software, before it’s deployed into the production environment.
It becomes difficult for the security team to keep pace with the rapid and continuous deployments in the DevOps.
Enterprises usually include security towards the end of the development process, which makes it more challenging for the security team to efficiently identify potential weaknesses and vulnerabilities in the system.
But with DevOps, security can be shifted to the left of the software development process.
What does that mean?
The concept of shifting security to the left simply means moving security tasks further in the software development timeline.
By implementing automated penetrating tests and injecting code analysis earlier in the development process, organizations can address security challenges and defects at every stage of the development process and leave more time for the security team to perform more complex review tasks.
So by the time the software reaches the deployment stage, all of the security tests have been conducted and risks are mitigated.
Automation is Your Friend
Adopting a DevSecOps approach involves embracing a cultural shift and trying out different ways to bake in security early in the development phase.
Automation is a key part of DevSecOps that helps carry out simple or repetitive tasks to save human time, effort and energy.
Instead of manually testing each unit component of software for security issues, DevSecOps allows you to use automated tools and processes that simplify the process while maintaining quality, speed, and efficiency. High-risk areas will still require manual testing, e.g., changes to the authorization model.
If you set the controls and parameters right, automation can give you better security.
For example:
If you configure automated tools to specifications that have already been proven secure, you can save time and focus on more complex tasks. This allows less human error and boosts efficiency.
Wrapping it Up
DevSecOps offers more secure software without compromising on the agility, time to market, speed of deployment and quality.
It brings together security with DevOps to achieve unparalleled success by using automated tools, shifting security to the left, and enhancing collaborative development.
If security remains at the end of the development phase, enterprises adopting DevOps might find themselves back in lengthy development cycles or more vulnerable software.
Aaron Cure is the Principal Security Consultant at Cypress Data Defense and an SANS Certified instructor and contributing author for the Dev544 Secure Coding in .NET course. After 10 years in the U.S. Army, I decided to switch my focus to developing security tools and performing secure code reviews, penetration testing, static source code analysis, and security research.
