DevSecOps

DevSecOps is a framework that integrates security into every phase of software development. It's an approach that helps organizations reduce the risk of releasing software with security vulnerabilities. DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.

DevSecOps vs. DevOps

DevOps isn’t just about development and operations teams. If you want to take full advantage of the agility and responsiveness of a DevOps approach, IT Security must also play an integrated role in the full life cycle of your apps.

Why? In the past, the role of security was isolated to a specific team in the final stage of development. That wasn’t as problematic when development cycles lasted months or even years, but those days are over. Effective DevOps ensures rapid and frequent development cycles (sometimes weeks or days), but outdated security practices can undo even the most efficient DevOps initiatives.

Whether you call it “DevOps” or “DevSecOps,” it has always been ideal to include security as an integral part of the entire app life cycle. DevSecOps is about built-in security, not security that functions as a perimeter around apps and data. If security remains at the end of the development pipeline, organizations adopting DevOps can find themselves back to the long development cycles they were trying to avoid in the first place.

In part, DevSecOps highlights the need to invite security teams and partners at the outset of DevOps initiatives to build in information security and set a plan for security automation. It underscores the need to help developers code with security in mind, a process that involves security teams sharing visibility, feedback, and insights on known threats—like insider threats or potential malware. DevSecOps also focuses on identifying risks to the software supply chain, emphasizing the security of open-source software components and dependencies early in the software development lifecycle. To be successful, an effective DevSecOps approach can include new security training for developers too, since it hasn’t always been a focus in more traditional application development.

What does built-in security really look like? For starters, a good DevSecOps strategy is to determine risk tolerance and conduct a risk/benefit analysis. What amount of security controls are necessary within a given app? How important is speed to market for different apps? Automating repeated tasks is key to DevSecOps, since running manual security checks in the pipeline can be time intensive.

Environment and data security

• Standardize and automate the environment: Each service should have the least privilege possible to minimize unauthorized connections and access.
• Centralize user identity and access control capabilities: Tight access control and centralized authentication mechanisms are essential for securing microservices, since authentication is initiated at multiple points.
• Isolate containers running microservices from each other and the network: This includes both in transit and at rest data, since both can represent high-value targets for attackers.
• Encrypt data between apps and services: A container orchestration platform with integrated security features helps minimize the chance of unauthorized access.
• Introduce secure API gateways: Secure APIs increase authorization and routing visibility. By reducing exposed APIs, organizations can reduce surfaces of attacks.

CI/CD process security

• Integrate security scanners for containers: This should be part of the process for adding containers to the registry.
• Automate security testing in the CI process: This includes running security static analysis tools as part of builds, as well as scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
• Add automated tests for security capabilities into the acceptance test process: Automate input validation tests, as well as verification authentication and authorization features.
• Automate security updates, such as patches for known vulnerabilities: Do this via the DevOps pipeline. It should eliminate the need for admins to log into production systems, while creating a documented and traceable change log.
• Automate system and service configuration management capabilities: This allows for compliance with security policies and the elimination of manual errors. Audit and remediation should be automated as well.