DevSecOps follows the same trend as Agile and DevOps: how can developers create software that’s better, faster, and less expensive? The DevSecOps motto — “software, safer, sooner” adds the missing piece to the latest approach to quicker product development.
Security, previously an afterthought in the product development lifecycle, is now becoming an integral part of the process. New methodologies like shift left offer clear advantages to companies seeking to protect valuable data while still moving quickly. Here’s the meaning of DevSecOps, some key benefits, and DevSecOps best practices.
What is DevSecOps?
DevSecOps is an acronym for development, security, and operations. This practice automates the integration of security at every phase of the software development lifecycle. To better understand DevSecOps, let’s start by comparing DevSecOps vs DevOps.
DevSecOps is a variation on DevOps, or development operations. The goal of DevOps is to bring together formerly siloed roles, such as IT operations, development, QA, and security, to coordinate and produce better, more reliable products. Ultimately DevOps makes every team responsible for the success of the project: instead of separating development and operations, the unified effort of both functions leads to high-quality results.
“DevOps is an increasingly popular trend in recent years—a shift that makes developers more accountable for operational issues. The idea is that when a system goes down, it’s everyone’s responsibility to fix it,” wrote GitHub.
DevSecOps follows this same principle, but with a security lens. All stakeholders who participate in the application development lifecycle are responsible for the security of the final product. With DevOps, the goal is fewer outages; with DevSecOps the goal is no data loss.
The DevSecOps pipeline
What does DevSecOps look like in practice? DevSecOps can be integrated at every stage of the software development lifecycle:
- Planning: Start with an initial security analysis and create a plan for where, when, and how testing will occur throughout the development process.
- Coding: Deploy Git controls and other security protocols to secure passwords and API keys.
- Building: Add static application security testing (SAST) tools to find any flaws in your code before deploying.
- Testing: Use dynamic application security testing (DAST) tools to test your application while in runtime. DAST tools find errors related to user authentication, authorization, SQL injection, and API-related endpoints.
- Releasing: Before releasing the product, run complete penetration testing and vulnerability scans.
- Deploying: Send a secure build to production for final deployment after all testing is completed.
Clearly, security is integrated throughout the process. And, while it may seem like this adds extra steps to the software development lifecycle, this method saves time in the long run.
Benefits of DevSecOps
When done right, DevSecOps allows teams to deliver code faster, with fewer security vulnerabilities, and at a lower cost.
“The purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required,” Shannon Lietz, co-author of the “DevSecOps Manifesto” told IBM.
The DevSecOps approach helps add transparency and coordination to the product development lifecycle. When different teams work independently of one another, the approach leads to inconsistent implementation and a fragmented approach to development. It enables teams to collaborate throughout the process, providing visibility to key stakeholders every step of the way.
This visibility reduces bugs, misconfigurations, and other issues that can prove time-consuming and costly to fix later in the process. DevSecOps minimizes the need to re-do work to address security issues further along in the development lifecycle.
Ultimately, this approach also makes the product more secure. “Throughout the development cycle, the code is reviewed, audited, scanned, and tested for security issues. These issues are addressed as soon as they are identified. Security problems are fixed before additional dependencies are introduced,” wrote IBM.
DevSecOps best practices
Shift-left security is a key best practice for DevSecOps. Shift left security requires testing an application’s security iteratively and regularly — rather than waiting to test at the end of the software development process.
There must be some degree of security education offered to key project partners, in addition to implementing the shift left methodology. Before starting a DevSecOps project, make sure your development engineers, operations teams, and compliance teams are aligned with security best practices, as well as testing procedures that will take place along the way.
In addition, involve the InfoSec experts at your organization to pre-approve tools that will ensure your code and environments don’t put your organization at risk. For example, Nightfall provides a native GitHub integration that scans push events for API keys, credentials, and PII in order to remove them from your GitHub Organization. Nightfall also provides other tools, like a GitHub Action and a CircleCI Orb that can be used at different parts of the software development lifecycle to prevent the issue of secrets proliferation within your code.
By Emily Heaslip