A beginners view of DevSecOps

In this era of Digital Transformation, every organization is betting on speed and innovation to deliver differential services which enriches customer experience and creates stickiness with customers. But now more than ever, in the face of rising and sophisticated cyberattacks, organizations needs to integrate security into their application development and digital services. This can be difficult, given that security is often perceived as slowing down innovation.

For any digital first organization, Developers are building code that corrects glitches, providing user enhancements and fixing software vulnerabilities, the IT operations team keeps these systems running and functional for thousands of people who depend on them and the Security team ensures that the same systems are secure, up to date and compliant with Industry / Govt. / Business standards. But these teams are having varying priorities that can clash at times.

To bridge the divide between development, operations and security teams and ensure that systems stay updated, running and secure all at the same time, Organizations are investing in a new approach known as DevSecOps. This brings us to the perceived definition of DevSecOps - “A Cultural and Engineering Practice that breaks down barriers and opens collaboration between development, security and operations team using automation”, according to the General Services Administration.

At the Core, the purpose and intent of DevSecOps is to build on the mindset that everyone is responsible for security with the goal of safely distributing security decisions at speed and scale.

The Evolution of the terminology DevSecOps –

Since early 2000, many organizations have adopted agile methodologies for iterative, incremental and evolutionary software development, where requirements and solutions evolve through collaboration between self-organizing cross-functional teams. Agile methodologies in many instances has evolved into a DevOps approach. The word “DevOps” is a mashup of “development’ and “operations” but it represents a set of ideas and practices much larger than those two terms alone, or together. It describes approaches to speeding up the processes by which an idea / change request goes from development to deployment in a production environment where it can provide value to the user.

Often in DevOps, the focus is on automation, collaboration and other core pillars of the DevOps methodology, and in the process, security can be forgotten. Those using DevOps approaches have realized the need to integrate security into the development and operations flow, leading to a call for DevSecOps.

Hence, DevSecOps aims to give security the focus and priority it needs and deserves. It doesn’t necessarily call for a separate security team, but rather looks to infuse security principles at every step, and into every collaborator, including developers and QA.

The Tools and Tactics for DevSecOps –

Containers and Microservices : DevSecOps speeds up how an idea goes from development to deployment. At its core, DevSecOps relies on automating routine operational tasks and standardizing environments across an app’s lifecycle to integrate security practices to development pipeline. Containers offer these necessary standardized environments. They make it easier to move applications between development, testing and production environments. Using containers lets developers package and isolate their apps with everything they need to run, including application files, runtime environments, dependent libraries and configurations.

Automation : As organizations adopt containers, an automated approach to security, testing and application development is needed to increase productivity and reduce risk. By automating security capabilities like enterprise firewalls, intrusion detection systems (IDS) and security information and event management (SIEM), organizations can better unify responses to cyberattacks through the coordination of multiple, disparate security solutions, helping these technologies act as one in the face of an IT security event.

Open Source : The culture of open source software projects can be a blueprint for how to build a DevOps or DevSecOps culture. Adapting core open source principles of collaboration and transparency, can help to implement cultural changes in an organization like promoting transparency in decision-making, encouraging experimentation by eliminating the fear of failure or implementing a reward system that encourages trust and collaboration. DevSecOps relies on a culture of collaboration that values openness and transparency, which means the cultural values of DevSecOps are tightly intertwined with the values of open source communities and agile approaches to work.

Culture : In a business environment, changing the infrastructure or the application architecture is easy. To effectively change what you produce, you need to change your culture first. And cultural change goes even deeper than DevSecOps or agile or other methodologies. It is a commitment to actually putting everyone on the same team. To make DevSecOps implementation successful, within the organization people need to want to change. It’s a matter of free will not force.

Benefit’s of DevSecOps –

• Faster Application Development Lifecycles
• Increased Developer Productivity
• Lower Costs through Greater Efficiencies
• Improved Service Quality and Reliability
• Reduced Risks of Deployments
• Faster adoption to market changes
• Competitive Advantage through Idea to Live
• Improved Customer Satisfaction
• Higher ROI with more applications in less time
• Reduced IT Operations time per application developed

Summary –

Today, in the collaborative framework of DevOps, security is a shared responsibility integrated from end to end. It’s a mindset that is so important, it has led to this term and approach, DevSecOps, to emphasize the need to build a security foundation into DevOps initiatives. DevSecOps means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down.

The new technology solutions like containers, automation and cloud computing can help organizations meet its security goals. But effective DevOps security requires more than new tools — it builds on the cultural changes of DevOps to integrate the work of security teams with development, operations and QA teams.