Many thought the term “DevOps” was just another buzzword. But its usage and application have grown to such a degree that it can now be considered part of mainstream technology vocabulary. And now security teams and vendors have piggybacked onto that popularity with a whole new term – DevSecOps.
Will it catch on to the same extent as its older sibling? Many believe so. It certainly figured prominently in last week’s RSA security conference.
However, more than a few are a little confused about what it is and how it relates to DevOps. So what exactly is DevSecOps? How does it compare to DevOps? And how exactly can it improve security and reduce threat risk?
What is DevSecOps?
DevSecOps is all about bringing security and operations into the development process. This helps to develop a culture whereby everyone within an organization is responsible for security and compliance.
“Implementing DevSecOps means creating a security as code culture, where security is integrated with all phases of DevOps practices,” said George Gerchow, CSO of Sumo Logic. “This means keeping regulations and security top-of-mind while maintaining the speed, agility and innovation needed to stay ahead of attacks.”
DevSecOps vs. DevOps
What is the difference between DevOps and DevSecOps? DevOps is a term that has gained relative familiarity within IT in recent years. There are thousands of articles online about how DevOps is superior to older waterfall approaches to software development.
DevOps combines engineering and operations as part of the overall development lifecycle. It adds automation and monitoring into all steps of that lifecycle to shorten the development timeline, increase deployment frequency, and provide more dependable releases that forward business objectives.
DevSecOps seeks to insert security into a DevOps pipeline without slowing it down. This requires far more accuracy and speed than traditional application security methods provide. Since DevOps release cycles are fast, the amount of time available to triage and remediate vulnerabilities is greatly reduced. Hence, vulnerability management and prioritization are paramount.
The big challenge for DevSecOps is the reduction of the great manual bottlenecks that tend to be erected to help security professionals spot and remediate potential holes that could be exploited by hackers. This vital activity runs against the grain of the DevOps rapid development philosophy, yet building security into applications is critically important. Hence the need for DevSecOps to bring security to the development process as efficiently as possible.
Whether in development or production, the process of triaging false positives has always required human expertise. DevSecOps automates a good portion of this process by using analytics from all phases of the software development lifecycle. In some ways, it could be looked at as baking security into the DevOps methodology. In other words, DevSecOps is a way to automate security best practices in an agile fashion within the DevOps approach and workflow.
“Tools must be used to programmatically weed out false positives so that developers can spend time fixing only the most critical vulnerabilities, rather than determining which ones are real,” said Chetan Conikee, founder and Chief Technology Officer of ShiftLeft.
Building security into the development process
It was not uncommon for developers to create applications without paying too much attention to security. Safeguards and defenses often had to be added after the fact. This could slow down the release of an application, or see it rushed onto the market still having multiple security holes to fill. Clearly, it is better to build security into code at the time applications are being worked on. But how can this be achieved without putting the breaks on the creation of software and without inhibiting modern iteration workflows?
For security to be built into the development process, it is important to understand how an organization’s DevOps process and lifecycle roll out, and how it augments its security and compliance business needs. Like oil and water, traditional security processes just don’t mix with a DevOps mindset.
But that can result in a negative outcome. With development happening at a very fast pace through agile methodologies, security can easily be left out of the picture if it slows everything down too much or causes too much rework. DevSecOps is the answer to this problem. It offers a way to build security into agile processes in alignment with ongoing rapid development processes. In other words, security processes and checks are introduced throughout that lifecycle, beginning early on in the process. This is an effort to ensure that security keeps pace with the rapid iteration approach of DevOps.
Conikee added that web application firewalls designed to protect applications from external threats have never been able to really understand how applications work. To achieve DevSecOps, those two worlds must be brought together. By understanding how an application is vulnerable, it becomes much clearer how it should be protected. Production analytics on how the application is being used can thus be used to dictate how vulnerabilities are managed and prioritized in development.
But the concept of making security everyone’s responsibility can be scary to some. Perhaps another way to look at it is that DevSecOps is no more than doing DevOps right. Following the correct processes and instituting the right kinds of automation and testing will enhance security. When DevOps processes and systems are designed and run correctly, developers, testers, operations folks and everybody else should end up doing the right thing by default. Exceptions should be both visible and rare.
Some say the goal of DevSecOps is making security everyone’s responsibility within the organization. Developers, quality control and product managers, at the very least, should become far more involved in security. Some widen the scope much further, but that is easier said than done. It requires constant awareness and training to bake a DevSecOps mindset into the DNA of the enterprise.
A good way to achieve this is by fostering development talent within the security team and having those personnel work with engineering in a collaborative agile environment. Additionally, developers can be given nontraditional training in skills such as penetration testing or opening up internal bug bounties. Such training encourages developers to practice good security hygiene when they code.
How to automate application security
Automation can help drive DevSecOps success. Automated testing, for example, can simplify security testing efforts using a minimum set of scripts. Automated testing tools can execute repeatable tests, report outcomes, and compare results with faster feedback to the team. They perform the same operation each time they are executed, thereby eliminating human error. In addition, they can be run repeatedly at any time of day or night. Such testing should be run at every stage of the development pipeline to maximize efficiency and minimize mistakes within code that can expose the organization to threats.
Some may think that this approach requires the hiring of a large team of security experts. Certainly, some experts are needed. But it is not the purpose of DevSecOps to transform everyone into a security guru. Security expertise should be applied at the appropriate places in the process, or at transition points between iterative stages. Experts can help implement monitoring for systems in production, and others will figure out automated checks to ensure that only approved images are used when a developer moves work to the test stage.
But automation can take much of the manual labor out of the picture. Automating some security gates will keep the DevOps workflow from slowing down. Developers who lack extensive security training, therefore, can take advantage of automated systems and refer issues to a small core of security specialists.
DevSecOps best practices
DevSecOps is a relatively new discipline. Despite that, best practices are emerging. Here are some to implement.
- Code analysis: Build coding analysis into the development chain to spot security flaws early
- Change management: Empower teams to recommend and implement changes across the board
- Compliance monitoring: Enforce operational security hygiene and processes
- Threat investigation: Encourage teams to discover, investigate and remediate threats across all services
- Vulnerability management: Constantly scan code and conduct penetration testing to ensure remediation
- Security training: Train developers so they gain industry knowledge and become excited about prioritizing security. This must go beyond a short annual course, or a few lunch-and-learns. “Sending top developers to conferences like DEFCON can help them gain hands-on experience and see real hackers working in malicious ways,” said Gerchow.
- Automate where possible: The key to repeatability, manageability and, ultimately, auditability is automation. “If you are moving fast enough to get good value from DevOps, you will be held back if you are not automating security, as you are automating all the other parts of your processes,” said Mike Bursell, Chief Security Architect at Red Hat. “Security teams don’t scale when deployed in the old model of ‘just check and approve this before we send it into production’ if everybody else is operating in a DevOps world.”