What Is DevSecOps ?

DevSecOps stands for Development, Security and Operations. It is an approach to culture, automation and platform design that integrates security as a shared responsibility throughout the IT lifecycle.

DevSecOps vs. DevOps

DevOps is not just about development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT security must play an integral role throughout the lifecycle of your applications.

Why? In the past, the role of security was assigned to a specific team during the final development phase. This wasn’t such a problem when development cycles took months or even years, but those days are over. Effective DevOps ensures fast and regular development cycles (sometimes weeks or days), but outdated security practices can undo even the most effective DevOps initiatives.

Illustration representing a linear progression from Development to Security and then to Operations

Now, in a collaborative DevOps framework, security is a shared responsibility that is fully integrated. This is such an important mindset that some have started using the term “DevSecOps” to emphasize the need to build a security foundation for DevOps initiatives.

Illustration representing collaboration between Development, Security, and Operations roles

DevSecOps means thinking about application and infrastructure security from the bottom up. This also means automating some security gates so the DevOps workflow doesn’t slow down. Choosing the right tools for continuous security integration, such as choosing an integrated development environment (IDE) with security capabilities, can help achieve these goals. However, effective DevOps security requires more than new tools—it depends on cultural changes in DevOps to integrate the work of security teams sooner rather than later.

DevOps security is built-in

Whether you call it “DevOps” or “DevSecOps”, it has always been ideal to include security as an integral part of the entire application lifecycle. DevSecOps involves embedded security, not security around applications and data. If security remains at the end of the development phase, organizations adopting DevOps may be forced back into the long development cycles they tried to avoid in the first place.

In part, DevSecOps emphasizes the need to bring security teams and partners in early in DevOps initiatives to build security and build a security automation plan. This underscores the need to help developers code with security in mind, a process in which security teams share visibility, feedback and knowledge of known threats, such as insider threats or potential malware. DevSecOps also focuses on identifying risks in the software supply chain and emphasizes the security of open source software components and dependencies early in the software development life cycle. To be successful, an effective DevSecOps approach can also include new security training for developers, as this has not always been the focus of more traditional application development.

What does built-in security actually look like? First, a good DevSecOps strategy is to determine your risk tolerance and perform a risk/benefit analysis. How many security features are needed in this application? How important is speed for different applications? Automating repetitive tasks is key to DevSecOps, as manual security checks can take time to prepare.

DevOps security is automated

Illustrations representing that DevOps plus Automation equals Security

Maintain short and iterative development cycles, integrate security measures with minimal disruption, keep pace with innovative technologies such as containers and microservices, while fostering closer collaboration between teams that are generally mixed — it’s a squad for any organization. All of these initiatives start at the human level – the depth of collaboration within your organization – but in the DevSecOps framework, automation is the enabler of human change.

But what and how to automate? There is a written guide for this question to help answer this question. Organizations need to step back and consider the entire development and operational environment. This includes source control repositories, container registries, continuous integration and continuous deployment (CI/CD) pipeline, application programming interfaces (API) management, instrumentation and release automation, and operations management and monitoring.

New automation technologies have helped organizations adopt more agile development practices, and they have also helped promote new security measures. But automation isn’t the only thing that’s changed in the IT landscape in recent years—cloud-based technologies like containers and microservices are now a big part of most DevOps initiatives, and DevOps security needs to match them.

DevOps security is built for containers and microservices

The larger and more dynamic infrastructure enabled by containers has changed the way many organizations operate. Therefore, DevOps security practices must adapt to the new landscape and adhere to container-specific security guidelines.

Cloud-based technologies are not suitable for static information security policies and checklists. Instead, security must be continuous and integrated at every stage of the application and infrastructure lifecycle.

DevSecOps means building information security into application development from start to finish. This process integration requires a new organizational mindset as well as new tools. With this in mind, DevOps teams must automate security to protect the overall environment and data, as well as the continuous integration/continuous delivery process, a goal that likely includes the security of contained microservices.

This webinar provides expert insight into the entire stack and lifecycle security of containerized applications.

Environment and data security

  • Standardize and automate the environment: Each service should have the least privilege possible to minimize unauthorized connections and access.
  • Centralize user identity and access control capabilities: Tight access control and centralized authentication mechanisms are essential for securing microservices, since authentication is initiated at multiple points.
  • Isolate containers running microservices from each other and the network: This includes both in transit and at rest data, since both can represent high-value targets for attackers.
  • Encrypt data between apps and services: A container orchestration platform with integrated security features helps minimize the chance of unauthorized access.
  • Introduce secure API gateways: Secure APIs increase authorization and routing visibility. By reducing exposed APIs, organizations can reduce surfaces of attacks.

CI/CD process security

  • Integrate security scanners for containers: This should be part of the process for adding containers to the registry.
  • Automate security testing in the CI process: This includes running security static analysis tools as part of builds, as well as scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
  • Add automated tests for security capabilities into the acceptance test process: Automate input validation tests, as well as verification authentication and authorization features.
  • Automate security updates, such as patches for known vulnerabilities: Do this via the DevOps pipeline. It should eliminate the need for admins to log into production systems, while creating a documented and traceable change log.
  • Automate system and service configuration management capabilities: This allows for compliance with security policies and the elimination of manual errors. Audit and remediation should be automated as well.

LANERS's covers the latest developments and innovations in technology that can be leveraged to build rewarding careers. You'll find career guides, tech tutorials and industry news to keep yourself updated with the fast-changing world of tech and business.

Leave a Comment