2 April 2023
Putting DevOps into practice has allowed companies to accelerate software delivery while ensuring that critical aspects of development and operations are addressed. Here I explain how security is added to this methodology, we talk about DevSecOps.
What is DevSecOps?
DevSecOps is an extension of the DevOps approach, that considers security as a shared responsibility that has to be integrated into the development process from the beginning.
It can be considered simply as “DevOps done right”: the collaborative work model of DevOps aims to create a culture that brings developers and operators together to break silos; DevSecOps adds the security team to the discussion, to enable the software to be delivered quickly, efficiently and securely.
In essence, DevSecOps aims to:
- foster collaboration between DevOps and security teams
- implement Security as Code and in shift left security concerns the software development process
How to adopt a DevSecOps approach?
To adopt a DevSecOps approach, you will have to focus on 3 axes: people, process and technology.
No amount of investment in training and tools will enable your organization to switch to a DevSecOps approach if the people at the heart of the needed collaboration are not interested.
The first step is to have a voluntary “Security Champion” stand out in each team. A security champion is a developer that does not necessarily have a security formation and just needs to be interested in strengthening the company’s security posture.
He will be the referent for security choices in the team, will make sure that security issues are raised during the backlog refinement, and answer the team’s security-related interrogations.
The second step is to create a network of security champions across the organization that can share knowledge and answer each other’s questions, for instance as a security guild. In big organizations (10+ teams), security advocates can stand out from the security champions to add a layer of coordination and expertise.
The security issues will then go up the Andon chain from the team to the security champions/advocates, and ultimately to the security team if needed. This system ensures that each layer learns the most about the issues encountered, to continually improve (kaizen), grow in awareness around security issues, and reduce the time needed to address them.
The transformation of DevSecOps culture into tangible results is made possible by modifying existing processes to enable collaboration between DevOps and security teams.
In particular, the measures that will have the highest impact for your organization include:
- collaborative work sessions with DevOps and security teams on threat models
- the regular audit of automated tests by security experts
- including security features as part of the software delivery backlog :
- including a security assessment of the feature in the Definition of Ready
- including a green light given by the testing tools in place in the Definition of Done
More broadly, building the DevSecOps process is an iterative effort. It starts with the experimentation of a collaborative process between DevOps and security teams at a given stage of the software delivery, then with the framing of the agreed-upon process resulting from that experimentation, and finally with a security audit of the standard process established.
This process can then be applied by a variety of teams in a variety of contexts, and refined according to agile methodology principles. The use of a standard process reduces the risk of introducing security loopholes in the methodology.
Adopting a DevSecOps approach implies adding a variety of security solutions and best practices to the DevOps toolkit.
First, you want to automate security at all stages of software delivery. This is done by adding security tools to your CI/CD pipeline, such as:
- automated security testing
- DAST/IAST/SAST suites
- vulnerability checks
- logging and monitoring tools
Then, you want to integrate security by design into your governance. This is done by implementing standards and best practices, such as:
- OWASP Standards
- Secure coding practices
- enabling Transport Layer Security (TLS) encryption by default
- forcing API authentication for all clients (including nodes, proxies …)
What are the benefits my organization can expect?
The first direct impact of adopting a DevSecOps approach is the improvement of the overall security of your product, leading to an increase in quality and robustness.
The shifting left of vulnerability checks also enables your organization to discover and fix them at an early stage. This results in less stressful and complex fixes, as well as a reduction of incurred costs.
Integrating security in the delivery process also strengthens your security posture and enables more frequent deployments with fewer manual operations: 61% of organizations with mature DevSecOps culture report being able to deploy on-demand, versus 46% (see Puppet's 2019 State of DevOps report) on average. By removing the security bottleneck, adopting a DevSecOps approach speeds up your product delivery, as well as security- and compliance-related transformations.
DevSecOps is a culture that considers the collaboration between the development, operations, and security teams as the foundation for efficient and robust software delivery.
Its implementation requires a switch in culture, technology, and processes, but represents a step towards more collaboration between project stakeholders and the use of automation to ensure that security practices are incorporated by design in the software.
In addition to better security for the software itself, a DevSecOps approach also enables better cooperation, faster software delivery, and increased confidence in the overall security posture.