Transitioning from DevOps to DevSecOps
Introduction to DevOps
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops) to shorten the software development lifecycle and provide continuous delivery with high quality. DevOps is a relatively new term, but it has become increasingly popular in recent years as organizations have adopted cloud computing and microservices architectures.
Introduction to DevSecOps
DevSecOps is an approach to software development that integrates security into the entire software development lifecycle (SDLC) from the beginning. This means that security is considered and implemented at every stage of the development process, from planning and design to coding, testing, and deployment. The goal of DevSecOps is to shift security left, meaning that security is considered and implemented throughout the entire software development process, not just as an afterthought.
Transition from DevOps to DevSecOps
When DevOps was introduced to the field of software development, security was never a part of it. Recently, with the rise of the adoption of cloud, open source software, and shift towards microservices organizations are aware of the security risks associated with the software development process.
DevSecOps when introduced, was primarily focused on the fact of “Detecting risks as early as possible in the entire development cycle”. “Shift Left” always means early detection of the vulnerabilities present in an organization’s cloud infrastructure.
With the evolution of all the things in DevSecOps, the shift left is expanding from early detection to early detection, prevention, and remediation.
In our recent episode with Matt Tesauro, Matt clearly says “I'm seeing a huge step towards the auto-remediation capabilities, a huge step towards our prevention capabilities that wasn't part of the DevSecOps Circles.”
Having said that security practitioners can detect issues early, but remediating and preventing them early still remains a fight.
Let us take an example of log4j;
An organization's development infrastructure may have 10,000 log4j instances all around.
What are the next steps you would want to take to prevent the consequences?
Security practitioners, to move things ahead and fast need to ask questions such as -
- What is going to happen?
- How are we going to remediate these instances?
- Are these instances manual or automated?
- How can we be smart enough to prevent these instances beforehand?
Self-interrogating on such factors should help security practitioners make an impact in the space of auto-remediation and early prevention.
How can organizations practice DevSecOps?
There is no one-size-fits-all all! Organizations can have various techniques to practice DevSecOps. But to get started, we would like to explicitly separate this idea between startups and large organizations.
For startups, because they are limited in resources (either maybe people, technology, money, etc). Startups need to upscale their Dev to practice SecOps. Upscaling the Dev to do more codifying security into your infrastructure is the only key.
Whereas for large organizations, implementing the same idea is a lot easier because large organizations have a lot more resources than startups. Asking top-of-the-funnel security practitioners to get involved in integrating more automation in the CI/CD pipelines on behalf of development teams can make a significant impact.
Also, having a dedicated team that continually focuses on security checks, and best practices mitigates the gap between early detection, prevention, and remediation. Following all of these practices ultimately fulfills the organization’s zero-trust pipeline policy.
Keeping the right balance between development and security
The attitude of “Security teams always slow down the development lifecycle” is the very first thing that needs to be uprooted from the minds of development teams.
For sure, it acts as a speed bump. But, security teams are like the frontline soldiers that notice all the risks that are executed by attackers against the infrastructure that they are trying to protect.
Toll-gating with the CI/CD pipelines makes the actual development slow. Asking a developer to own and adapt something that will prevent them from moving faster will never be accepted. Hence, the shift left approach helps developers because there is someone who is trying to inculcate all the security practices beforehand and not at the time of production.
DevSecOps teams should be seen as the “How to security” of the development cycle. They enable developers to create a safe and secure production environment to have a safer post-deployment environment.
Defining meaningful metrics can help organizations to measure the quality of their coding and application development. With metrics targetting and prioritizing the instances becomes much easier.
DevSecOps for Cloud-native environments
DevSecOps not only automates security tasks but also codifies security into your organizational infrastructure. This also reflects that security policies and controls should be written in code and integrated into the CI/CD pipeline. This will help to ensure that security is considered throughout the entire software development lifecycle, from development to deployment.
These situations often lead to maker-checker problems when implementing DevSecOps. Organizations need to understand that developers should not write a security code that checks their piece of work. Security engineers should be responsible for writing the security code and ensuring that it is objective and unbiased.
When it comes to cloud-native environments, security needs to be a day-to-day activity. This means that security engineers should work closely with developers and DevOps teams to integrate security into the development process.
Conclusion
In conclusion, DevSecOps represents a transformative shift from DevOps, integrating security throughout the entire software development lifecycle. It emphasizes early detection, prevention, and auto-remediation of vulnerabilities. Balancing development and security, practicing in diverse organizational contexts, and codifying security into cloud-native environments are pivotal for successful DevSecOps implementation, fostering a culture where security is not a hindrance but an integral part of innovation.