WTF is DevSecOps?
Buzzword or shift-left revelation? We dive into the intriguing new world of DevSecOps.
The TL;DR Summary
- DevSecOps integrates security into software development, testing, and delivery processes.
- In DevSecOps, everyone involved in the software development lifecycle shares responsibility for security in a DevSecOps environment.
- The approach focuses on automation and the "shift-left" approach to incorporate security early in the pipeline.
- In practice, it involves planning, coding, testing, deployment, monitoring, training, and reviewing security aspects.
- DevSecOps and DevOps both emphasize collaboration, agility, and automation, but differ in their areas of focus.
What is DevSecOps?
DevSecOps is the practice of integrating security into software development, testing, and delivery processes[1]. Basically, you're thinking about writing secure code at every step of creating and updating software, rather than as a perfunctory step at the very end of the process. It's also part of that "shift-left" approach to security you've been hearing so much about.
The Details
The idea behind DevSecOps is that security is everyone's responsibility, and it comes into play from the moment you start building software. Ideally, this will promote collaboration among development, operations, and security teams, ensuring that security is a first-order concern in software delivery. A lot of DevSecOps writing is about automation and the "shift-left" approach, which emphasizes incorporating security early in the development pipeline rather than as a late-stage addition.
Buzzword or revelation? Some people consider DevSecOps to be a buzzword or marketing slang, arguing that security should be a natural part of the DevOps process without requiring a separate term[6]. However, we'd like to think that the introduction of the DevSecOps concept highlights the importance of security as a fundamental aspect of the entire development process, which has often been overlooked or treated as an optional, non-functional requirement.
The responsibilities within DevSecOps include ensuring that the code is secure, infrastructure (cloud or on-premises) is configured securely, data protection measures are in place, and security checks and monitoring are automated[4]. When it works as intended, this approach supports the development of high-quality, secure software through shared ownership, efficient processes, and collaboration between the typically siloed development, operations, and security teams.
DevSecOps is seen by some as a step towards a more comprehensive DevOps organization, similarly to SecOps[5]. By focusing on security, it fosters a mindset that includes security in every aspect of software development, infrastructure management, and operational processes.
What this means in practice
In day-to-day operations, DevSecOps changes how teams work together and handle software development tasks:[3]
Planning: Security requirements are considered from the start, so teams discuss potential risks and vulnerabilities while planning new features or updates.
Coding: Developers follow secure coding practices and guidelines to prevent common security issues like SQL injection, cross-site scripting, or buffer overflow vulnerabilities.
Testing: Automated security tests are incorporated into the development process, catching security flaws early and allowing developers to fix them promptly.
Deployment: Teams use tools and frameworks that incorporate security best practices, such as secure configurations, encryption, and access control for infrastructure and data.
Monitoring: Continuous monitoring of applications and infrastructure helps identify security incidents, allowing teams to quickly respond and mitigate potential threats.
Training: Team members receive regular training on the latest security trends and best practices, fostering a security-aware culture throughout the organization.
Review: Teams routinely review their security practices, tools, and processes, identifying areas for improvement and making necessary adjustments.
DevSecOps != DevOps
Both DevOps and DevSecOps emphasize collaboration and agility in software development – but unsurpisingly, DevSecOps is more focused on security. DevOps primarily looks at streamlining the interactions between developers and operations to improve efficiency and deliver software faster. It incorporates practices such as continuous integration, continuous delivery, automated testing, and infrastructure as code.
On the other hand, DevSecOps might use similar tools and frameworks, but its goal is explicitly to integrate security considerations the development lifecycle. Its main goal is to ensure that software is built securely from the ground up, eliminating vulnerabilities and minimizing potential risks. This is achieved by integrating security tools, practices, and policies into the existing DevOps pipeline.
Having said that, when investing in DevSecOps, it's essential to choose tools and frameworks and integrate well with your existing DevOps pipeline. Needless to say, they should also align with your organization's specific security requirements, and adhere to industry regulations.
Who is Responsible for DevSecOps?
The annoying answer is: everyone. In a DevSecOps environment, all the folks involved in the software development lifecycle share responsibility for security. This means that developers, operations staff, security experts, and even management all play a role in ensuring the security of the software
References:
[1] Gartner glossary
[3]What is DevSecOps on the IBM website
[4]Chapter from O'reilly's Security as Code book
[5]Stack Exchange discussion - what is SecOps?
[6]Stack Exchange discussion - is DevSecOps indeed a new practice?