What is DevSecOps?
For most of us this is just a buzzword that we’ve heard tossed around a lot lately. Those of us that are actively working in software security are skeptical about it, but what can we do to really bring this concept out of buzzword limbo and into actual implementation? Is DevSecOps inherently different from DevOps? Furthermore, how do we accomplish this in a way that builds lasting relationships with our engineering teams without causing more toil?
DevSecOps is a process in application security that introduces security tools and best practices earlier in the software development lifecycle. The idea is that security is built in rather than functioning solely as a perimeter around apps and data.
It's not a surprising concept that everyone benefits when security is a team effort. As testing happens regularly, issues are found earlier and code shipped is more secure. To make this possible, security must be approachable with straightforward results instead of overburdening teams with a mountain of text with little to no actionable content. Security testing tools and processes must be adapted to your engineers (and not the other way around). This means bringing security into the workflow of your engineers such that they can stay within their context without having unnecessary steps added to their daily work. Security findings must be presented in a way which can be interpreted without being an expert in cybersecurity. This includes providing enough detail to begin identifying the root cause and suggesting remediation steps, as well as pointing to industry standards related to the security finding. Details to look for should include identifying the section of code causing the security finding and including automatic remediation recommendations. By implementing an integrated DevSecOps lifecycle with actionable results, security becomes everyone’s responsibility.
Building perfect and invulnerable applications is not possible. Therefore, security and risk management leaders must balance the need for security with development’s need for speed.
Where Do We Start?
Remember, Rome wasn’t built in a day and organizational changes don’t happen overnight. The key to securing a DevSecOps pipeline without compromising engineer experience is to start by reviewing tools with security and engineering teams together. Effective collaboration across different teams is the key to integrating security into the entire DevSecOps pipeline. Achieving a shift-left approach in security and overcoming DevSecOps security challenges requires sharing security knowledge and strong teamwork. It's first and foremost a cultural transformation. The changes to technology and the process really come after. So really, one of the biggest challenges is embracing this notion of effectively working together, having shared responsibility and a collaborative environment.
Security is an ongoing process and needs to continue to evolve as attacks evolve. DevSecOps enables organizations to stay ahead of the security curve and can help to avoid the majority of attacks.
There is a struggle to embrace the culture of DevSecOps. Security continues to be left behind because they don't have visibility and lack automation to keep up with churn. How do we give security the visibility they need at the point of time when these changes are happening? Also, how do we arm them with the automation that they need to give them the ability to be able to quickly identify how an application is changing? Security teams need to learn how to write code and work with APIs, while engineers need to learn how to automate security tasks. One way to achieve this is to add a security engineer to the engineering team as a whole, so you have a dedicated security engineer that’s spending part of their time with these engineering teams. This enables engagement, visibility, and understanding amongst engineering and security professionals.
Security is an ongoing process and needs to continue to evolve as attacks evolve. DevSecOps enables organizations to stay ahead of the security curve and can help to avoid the majority of attacks.
Why Should We Implement DevSecOps?
DevSecOps provides the framework to establish a clear, easy-to-understand set of procedures and policies for cybersecurity such as configuration management, access controls, vulnerability testing, code review, and firewalls. Additionally, DevSecOps ensures that all company personnel are familiar with these security protocols and empowers organizations to keep track of compliance by maintaining operational visibility. Successfully implementing DevSecOps not only improves organizational risk postures but also enables cultural transformation that will empower engineering and security teams.