General security

Transitioning from DevOps to DevSecOps

Graeme Messina
September 23, 2019 by
Graeme Messina

Introduction

DevOps is essentially the combination of software development and IT operations, and it is found in many enterprise environments. DevOps initially started as a process that fostered an agile type of relationship between developers and IT operations teams. This led to much more rapid development and deployment times and facilitated better communication between different departments within the organization.

DevOps helped developers to better understand the operational requirements of the organization while letting the operations side see how the development process would affect the daily functioning of the systems within the organization. The deployment technologies could be built into the software which meant that the finished products could be shipped in record time.

DevOps merges many different disciplines together and has a large focus on automation. As the name suggests, software development frameworks and concepts become a fused team that works towards the same goal.

Because DevOps treats much of the operational work with the same processes that software development does, it’s possible to roll out large-scale deployments with very little human intervention while still maintaining high visibility within the environment that it is operating in. Automation makes deployments much easier and faster to accomplish.

Many DevOps professionals are finding that the increased focus of security requirements is changing the way that applications are developed, and this means changing the way that products are created. We are going to find out how you can transition into DevSecOps and how you can leverage your skills and apply them to this important role.

What is DevSecOps?

On the surface, DevSecOps is very similar to DevOps, but it has enhanced protections built into the process. This is because many security best practices are now integrated into the products that are being developed. DevSecOps relies on collaborations and teamwork to create more secure applications while continuing to provide non-stop improvements to the code. DevSecOps builds security into the foundations of the application from the very beginning, creating enhanced protections that make the application more difficult to compromise.

DevSecOps breaks away from traditional developer environments. This is because the compartmentalized nature of legacy development structures has to be drastically altered in a DevSecOps environment. There is a general shift from siloed departments, and DevSecOps encourages lots of collaborative efforts and teamwork.

Historically, it has always been the job of the developer to create an application or system, while the operations team’s role was to use, administer and maintain it and the SOC team had to try and build security around the application. What we see in DevSecOps is a combined team effort between all three of those pillars of the organization, which results in much more secure applications and products.

Where does a DevSecOps professional get started?

The natural pathway for many DevSecOps pros is traditionally through a DevOps role, but this doesn’t tell us very much. DevOps has many potential roles, from programmers to network engineers, security analysts, auditors and systems architects. From an information security perspective, there are also many different roles that you could perform.

The main difference between DevOps and DevSecOps is the time at which the security team starts to contribute. In the early days of software development, security was often seen as an afterthought. Many security features were tacked onto the application after the main components had been built, which led to many weaknesses in application security and some overlooked security bugs that would only be discovered and addressed after the product had been launched. DevSecOps applies security from the very beginning and is involved in every step of the planning and development process.

Programmers and developers are most concerned with completing the product and having it function correctly, while security analysts are willing to implement more controls to harden the application. This can lead to extra work, but the benefits of having a secure application far outweigh a potential security hole in an insecure release.

The organization that you are working at has to be fully behind the idea of a DevSecOps approach in their development strategy, as it requires a shift away from traditional development methodologies.

Another vital aspect that is often overlooked is the increased popularity of cloud-based services in recent years. Finding a candidate with the prerequisite knowledge to perform all of these functions is tough. Last but not least, you need to have a background or a working knowledge of information security. In order to make recommendations about secure code and potential security issues, you need to be able to understand the concepts behind security.

Why DevSecOps?

Automation has always been at the heart of the DevOps approach, so it should come as no surprise that DevSecOps is able to automate security audits. It uses a combination of automated scripts and tools that test the security of the application, the containers that elements reside in and the pipe itself. Security is built into the applications from the very beginning and auditing tests all of the potential weaknesses in the implementation as the product is built.

Early detection of security loopholes happens much faster in a DevSecOps environment. This is because of the continuous iterations of secure code that are fed into the pipe, allowing for automated testing to occur daily.

Broken tests mean that the pipe is working correctly and that security issues are being picked up before a deployment happens. Not all failures are negative, and a broken build often means that the testing environment is picking up issues before they are released to clients.

Audit trails are often built into this process, which means extensive logging needs to occur at each step of the DevSecOps process. If code ever gets audited, then there needs to be a trustworthy and accurate history of development. This is sometimes known as a “trust, but verify” approach, especially when a postmortem of a failed test is conducted.

Conclusion

The transition from DevOps to DevSecOps requires full commitment from everyone involved in the process. Silos and separation of departments need to be replaced with open and honest communication. Constant feedback and code assessments need to be carried out at every step of the process if DevSecOps is going to succeed. The same is true of code audits, as they need to be carried out on a daily basis with each new commit and update.

All of this needs to happen without slowing down the actual development. Failure isn’t a bad thing, and any issues need to be dealt with and rectified as soon as they appear.

Documentation and written processes must also be maintained so that future development teams are able to look back and read accurate explanations and decently commented code. But these practices do not form overnight. There is a real need for cultural shifts within the organization, allowing the developers and security teams to work together and help one another. If teams compete with each other and assign blame then the end product will suffer, along with the company’s paying customers.

Security needs to be encouraged and developed within the teams if securely developed applications are to be released with increased frequency and efficacy.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. What Is DevOps?, The Agile Admin
  2. What is DevSecOps and How Is it Different Than DevOps?, Sumo Logic
  3. What is SecDevOps and why should you care?, Sqreen
Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.