What You Need to Know About DevSecOps

by Kaya Ismail, CMS Wire

The 5th annual DevSecOps Community Survey conducted by Sonatype in 2018, revealed there was a heightened interest in DevSecOps practices. Out of the 2,076 IT professionals that took part in the survey, 33 percent said they suffered from a verified breach within a 12 month period, which was a whopping 121 percent increase since the survey began back in 2014. Along with the introduction of the General Data Protection Regulation (GDPR), these high profile breaches have led to 73 percent of respondents having an increased interest in DevSecOps practices.

But what is DevSecOps exactly? Why is it needed? And how can brands implement DevSecOps practices in their organization?

What Is DevSecOps?

DevSecOps adopts a philosophy of integrating security practices within the DevOps process. It encourages flexible collaboration between developers (Dev), security (Sec), and Ops teams. The main objective of DevSecOps is to close the traditional gap between software development and security while ensuring rapid delivery and deployment of code in a safe manner.

As SumoLogic explained in a blog post, DevSecOps combines the two seemingly opposing goals of attaining “secure code” and “speed of delivery” into one streamlined process. “Think of DevSecOps like baking security practices into your DevOps pipeline. In short, it’s the philosophy of integrating security practices within your organization’s DevOps processes,” said Jesse Stockall, CTO at Embotics. “A DevOps strategy needs to go beyond operations and IT teams, and allow IT security to play an integrated role in the lifecycle of your applications.”

Related Article: 7 Key Principles for a Successful DevOps Culture

Why Should Companies Consider Transitioning to DevSecOps?

As the DevOps process itself converted deployment from an infrequent and slow process to one that developers can do multiple times a day, it also introduced nonconcurrent issues with traditional security processes, explained David Strauss, CTO & co-founder at Pantheon. “[With DevOps], traditional security processes could not keep up, as they often relied on a slow release process to fit in reviews and compliance. Yet, security couldn’t be left behind for the sake of DevOps,” he said.

Strauss continued, “DevSecOps brings security practices into the DevOps fold by ensuring developers have the skills and the power to achieve security goals, rather than placing that responsibility on a separate team.” By placing security responsibility to the DevOps team, it will encourage them to consider the security risks alongside meeting the software delivery needs. It also removes the “common deadlock” between development and security teams that Strauss mentioned. “In the past, the role of security was isolated to a certain team or role within the organization. But now it’s imperative for organizations to integrate security as a shared responsibility. To do this, organizations need to think of application and infrastructure security from the very beginning, and understand what processes can be automated in order to improve the speed and agility of the DevOps operation,” said Stockhall.

Additionally, according to Gerry Gebel, VP of business development at Axiomatics, “The DevSecOps approach allows organizations to better serve their customers and compete more effectively and securely in the market by enabling faster application deployment. By incorporating security controls that can be deployed in the same manner as APIs and microservices, businesses can transition to DevSecOps to streamline and automate the development process.”

Related Article:  Agile vs DevOps: What’s the Difference?

Best Practices for Transitioning to DevSecOps

To embrace DevSecOps in your organizations, there a number of best practices you should follow.

1. Establish a Collaborative Culture

“The most important thing [when starting off with DevSecOps], is to establish a culture that views security as an enabler of the quality product, a shared responsibility and a top priority. It’s one of the key application metrics along with the application performance and user experience,” said Ivan Novikov, CEO at Wallarm.

2. Appoint Security Champions and Invest in Security Training

“Since most developers have a limited understanding of what to look out for, it’s great to appoint security champions within teams,” Novikov said. “[These security champions] may not have the same in-depth knowledge as white-hat hackers, but they would have enough involvement and exposure on the security side to understand the concepts and know where to look for the right tools and resources.”

Security champions can also act as a go-to source for security queries team members will have. In addition to appointing security champions, “Equip the developers with the skills to understand and implement security. Such training should immediately lower defect rates related to security,” Strauss said.

3. Transition to a Microservice Architecture

Microservices are a well-known DevOps practice that involves breaking an application into smaller services, with each service representing a function. These individual services communicate with each other through an API, which enables developers to scale these services individually without impacting the rest of the application.

When access control (authorization) is deployed as a microservice, according to Gebel, several benefits emerge. For one, the application’s microservices can focus on delivering business logic, while authorization functionality is “encapsulated” in an infrastructure service.

Gebel explained how containerizing authorization microservices can be automated. “Authorization microservices can be automated with Kubernetes, or your favorite orchestration tool to manage elastic scaling of the authorization service, maintain high availability settings, [and more],” he said. “Changes to authorization policies are also automated with the same orchestration tools, simplifying the continuous integration/continuous deployment (CI/CD) process.”

4. Utilize Automation Tools

And finally, Novikov advised brands to, “Deploy automation tools that can manage security tasks to enable small security teams to focus more on key priorities such as defining frameworks and focusing more on the development process; tools that automatically generate and run security tests within CI/CD process will help facilitate this.”

This article originally appeared in CMSWire.