The concept of DevOps has fundamentally changed the way many organizations develop, deploy, and manage software. DevOps is a culture shift that breaks down silos between teams and enables streamlined processes and better collaboration to accelerate software development. Security is an important element of software development in general, but it is even more crucial in a DevOps environment.
Integrating security into the DevOps workflow—creating DevSecOps—is essential. With traditional software development practices, security is often tacked on after the fact, but with DevOps there is no “after the fact”. DevOps culture is built on frequent and continuous iterative loops. Organizations that embrace DevOps need to have a program in place to ensure that security is built into the process.
There is increased awareness of the risks organizations face, and security is more pervasive in general than it once was. DevOps, by default, should already include security because there is simply no way to do DevOps effectively without it. Calling it DevSecOps almost seems redundant. It is an important distinction, however, because it indicates that the IT security team has a seat at the table and helps everyone involved understand the roadmap for security integration.
Functionally and philosophically, it is true that security is just part of DevOps. We will hopefully get there one day, but right now there is still a significant divide and poor communication between security and development teams. Security professionals struggle with DevSecOps—and application security in general—because most come from a network security background and have no understanding of software development. In a similar sense, developers can largely be unaware of secure coding best practices, how security testing can be implemented in the pipeline, and how to automate testing, and may also perceive security testing as something that will interrupt their workflows.
Getting from DevOps to DevSecOps
To get from DevOps to DevSecOps, the IT security team needs to have a working knowledge of software development tools and practices, so they can understand the value of things like automated build servers, central code repositories, and containers, and work with DevOps engineers to seamlessly incorporate security.
Speed and agility are core tenets of DevOps. It’s important for security professionals to appreciate that security policies and security testing have to embrace and support those same principles. The security team also needs to know about the tools used by development teams like code repositories and build tools—and how they fit into a continuous development cycle.
Two elements of DevOps that are most challenging for security professionals are the pervasive use of open source code, and the fact that everything is code. Everyone understands that an application itself is code, but infrastructure as well—especially in a DevOps environment—is increasingly code based. Much of that code tends to be open source projects, or snippets or modules of code from open source projects. The use of open source code requires thorough testing before software goes to production, and processes in place to make sure that vulnerabilities in the open source code are identified and addressed.
Achieving Effective DevSecOps
The bottom line is that the security team needs to embrace DevOps culture along with the developer and operations teams, and they need to invest the time and effort to understand how the DevOps lifecycle works, and why the DevOps team uses the tools and processes they do. As you build an enterprise DevSecOps program, this meshing of the cultures and teams is crucial.
Security professionals need to understand that the burden is on them to understand and fit into DevOps culture—not the other way around. It is important to be able to strike a balance between selecting security tools that are effective, but that also fit the development model and don’t get in the way of productivity.
One of the keys to managing security in a continuous development lifecycle is testing. The essence of continuous development and continuous integration is that developers are building small iterative code advances and checking them in to code repositories on a frequent basis. These smaller, simpler code additions provide an opportunity for implementing streamlined testing in the process as well.
Providing developers with training in developing secure code, and providing them with the tools for fast, relevant remediation training can reduce the number of security issues that occur in the first place. Examples of these tools include static analysis that can alert developers to flaws in their code in real time, and software composition analysis tools with automated vulnerability remediation based on machine learning models that detect unreported vulnerabilities in open source libraries in near-real time. These can help developers maintain their development timelines while producing more secure code. Interactive training based on real-world vulnerabilities and scenarios, combined with analysis and feedback on their own code helps developers understand and implement better security, and streamlines processes so security isn’t a burden on the DevOps lifecycle.
It may seem like a foreign concept at first—and much of what defines DevOps culture may seem to directly conflict with traditional security models and practices. Ultimately, though, there are a variety of benefits of DevOps culture—even for security, and once an effective DevSecOps program is established, developers and security teams will wonder how they used to function without it.