July 9, 2021
What is DevSecOps?
Establishing a DevSecOps definition might seem like a no-brainer. The practice brings the security team into the DevOps workflow, with Development, Operations, and Security now working collaboratively toward a unified goal.
That said, the process goes beyond simply integrating a few new DevSecOps tools. In this article, we’ll dig into the methodology in more detail, outline the core DevSecOps benefits, and touch on the contents of its manifesto (because, of course, there’s a manifesto…).
Where Security Fits In: A Reason for DevSecOps
Back in 1983, the International Standards Organization (ISO) introduced a seven-layer model for network computing, dubbed the Open Systems Interconnection (OSI) model. The OSI model breaks computing functions into a universal set of standards to support interoperability between various products and software.
Each layer has its own protocols and other communication standards that govern its efficient operation. Here’s a list of the seven layers, listed in reverse order, as users interact with the application layer:
- Data Link
So, the OSI model works as follows:
- Data is entered by the user through software running on the Application layer.
- The application runs on a device-based operating system at the Presentation layer, which is granted entry through the Session layer.
- User data is moved to another destination using the transport layer, which relies on the network layer to connect to the desired destination.
- This connects to the actual network with a network interface card at the Data-Link layer which, finally, connects to the actual cabling and wireless infrastructure found at the Physical layer.
- Arriving at the other end, the data travels back up the seven layers to arrive at its intended destination.
What Happens When Security is a Chain
In the OSI model, data and network security take place as a chain of measures at each of the seven layers. The problem is, a chain is only as strong as its weakest link. And if there’s a vulnerability in the Transport layer, it doesn’t matter if the other six layers are locked up tight—the whole system is compromised.
This runs counter to the deployment of security measures across a company or other organization. So many of today’s most common threats use “human engineering” tactics to hack into a system. This means that they dupe human users into performing an action that compromises network security.
Due to the prevalence of such threats, security is everyone’s responsibility from the admin desk to the C-suite. That, of course, includes software developers and network operators, to an even greater extent than their non-technical colleagues. Developers are constantly introducing new code, which could contain new vulnerabilities for bad actors to exploit.
As such, they must be particularly diligent in protecting the network. Network operators must be on high alert to detect anomalies that may indicate a breach. LoB managers and their teams, facilities people, communications people (literally everyone) must remain vigilant. One weak link breaks the chain.
With DevSecOps, security protocols are embedded within the development process, as opposed to being layered on top. This allows DevOps teams AND security professionals to leverage Agile methodologies together.
Why DevSecOps is a Big Deal
IT infrastructure and DevOps have gone through some pretty big changes over the past few years. Cloud-computing, dynamic provisioning, and shared resources have transformed software development, bringing huge gains in speed, scalability, and agility.
DevOps has become standard for top-performing organizations, allowing them to keep pace with rising consumer demands and continuously evolving technologies.
However, while development and operations teams have unified and optimized their processes, security has historically been left out of the equation, often considered a roadblock, standing in the way of innovation.
Today, organizations have realized that skipping out on security puts their customers, brand, and bottom line at risk. And that’s where DevSecOps comes in, bringing security to the entire application without slowing down the production pipeline.
At its core, DevSecOps is about bringing security into the process early on, thereby reducing vulnerabilities and aligning security with business and IT objectives.
As such, it’s immediately clear that DevSecOps offers some pretty solid benefits.
- Increased speed and agility for security teams.
- Faster response to change and evolving customer needs.
- Improved collaboration and communications between all teams.
- Earlier vulnerability detection and correction.
- Increased use of automation—particularly in quality control and threat detection.
Ultimately, while there’s no guarantee any application can be 100% secure, DevSecOps allows organizations to confidently release applications that don’t compromise customer loyalty or their reputation.
The DevSecOps Manifesto
Like Agile and DevOps, DevSecOps has a manifesto, though in this case, the value system centers around this idea of “Security as Code.”
The manifesto (which you can read in its entirety here) covers the following principles:
- Security practitioners should add value without friction.
- Teams must adapt to a culture that fosters innovation, while also ensuring that privacy protections and data security are implemented throughout the development process.
- Best practices should not be left behind because security teams are too slow.
- Teams must strive for excellence, always aiming for the best solution before a deployment.
- Security must operate like development teams, ensuring security and compliance can be consumed as services.
- Security teams will unlock and unblock new paths, helping development teams turn ideas into reality.
- Scanners and reporting tools aren’t a substitute for real expertise; security teams must operate like outside hackers to ID loopholes and weaknesses in the code, then deliver a set of actionable remediation steps to address those problems.
- Monitoring must be continuous—teams will proactively look for anomalies and fix problems as they are discovered.
Security is aligned around the same values as development, operations, and other internal stakeholders.
Setting the Stage for a Successful DevSecOps Initiative
Embracing a DevSecOps strategy allows organizations to respond to incoming threats and latent vulnerabilities without skipping a beat.
Part of this transformation hinges on changing the perception of security teams, seeing them as a valuable resource that protects the business and its consumers, not a barrier to innovation or agility. Today, scaling an application in the cloud depends on embedding security controls throughout the entire development process. Implementing this strategy in your organization can be a complex process, however. Here, we cover a few things that you’ll need to get right to realize how DevSecOps benefits in your organization:
The Right DevSecOps Mindset
DevSecOps is an extension of DevOps, and as you might imagine, that means that Agile’s culture of collaboration has made its way to the security team.
Consistent with its source, DevSecOps is a mindset grounded in cooperation and consistency of tools and processes. The challenge is that embracing a new culture is often met with resistance, whether it’s a fear of automation, comfort with the status quo, or internal silos that prevent cross-departmental collaboration from taking place.
Security Must be Embedded in the Code
A DevSecOps team doesn’t wait until the code is finished to start thinking about security. The thinking starts with the developers themselves who incorporate sound security strategy even as they build the source code.
Instead, developers work closely with the security team who performs “sanity-checks,” which serves as a checks and balances process to ensure all development choices align with security best practices.
Once the “Dev” and “Sec” teams confirm the strategy, the operations team enters the fold, and acts accordingly to provide constant protection during utilization.
This end-to-end strategy from the start reduces the likelihood of errors later on.
Where most systems introduce security measures once the application goes into production, DevSecOps teams work to build security measures right into the application as well as every step after that.
By doing so, the developers become aware of and are able to remediate any weaknesses or errors in the code before it is tested, staged, deployed, and put into production.
Testing and updating code before moving it forward in the pipeline can be a time-consuming process of trial and error. DevSecOps breaks code analysis into smaller parts, allowing teams to identify vulnerabilities fast.
The process also leverages tools that automate testing, which eliminates the bottlenecks that often happen during human-run tests. Additionally, organizations can track how fast security teams detect and respond to vulnerabilities, allowing them to track continuous improvements.
Ideally, you’ll want to implement a stack of DevSecOps tools that address the following areas:
- Continuous Integration
- Version Controls
- Continuous Testing & Monitoring
- Configuration Management & Deployment
Solutions Should Be Tailored to Individual Applications
One of the biggest DevSecOps benefits lies in its ability to deliver custom security solutions based on each feature in your application. With complex, enterprise applications, DevSecOps can offer hyper-targeted security solutions at scale.
Planning a DevOps Initiative? Download our free eBook!
3Pillar Global uses DevOps as a critical part of our digital product development. Download our Free DevOps eBook where we discuss the benefits and common challenges experienced with DevOps or contact us.