DevSecOps is an extension of DevOps that emphasizes security automation and cooperation across the organization. More than just hype, DevSecOps is a crucial addition to your organization's development and deployment processes, especially given the range of ransomware groups, industrial spies, identity thieves, and other attackers plaguing today's cyberworld. In this article, you will learn how DevSecOps extends familiar DevOps tools and processes to help cross-functional teams work together on the design and implementation of security policies and procedures.
What is DevSecOps?
Essentially, DevSecOps is a way to ensure that security policies set by your organization—such as static analysis, vulnerability scanning, and access controls—are applied consistently in production, even if you are launching hundreds of virtual machines or containers every hour. With DevSecOps, the tools that carry out security policies are baked into the build process, through well-known DevOps techniques such as continuous integration and continuous deployment (CI/CD). The development team can assure managers and administrators that their security policies are being enforced without depending on individual developers to manually run the tools.
DevSecOps tools and processes
Developers and teams familiar with DevOps tools and processes can adopt them for DevSecOps. The basic elements of DevSecOps are:
- Tools: DevSecOps adds vulnerability scanners, penetration testing, firewall rules, intrusion detection systems, and other common security features to the version control and CI/CD processes used for DevOps.
- Processes: DevSecOps automates security practices in order to apply them consistently and verifiably across all the containers and services created by the development team.
- Transparency and review: All decisions made by the development team are open to discussion among managers and security experts. Test and production systems can log their activities, and these logs can be checked to ensure that the development team has implemented the decisions of the larger organization.
Let's look at a few hypothetical examples of DevSecOps in action to show how it brings organizational priorities into production.
Vulnerability scanning in the DevSecOps pipeline
Vulnerabilities exist at many levels. You may have coding errors such as buffer overflows and incorrect type conversions, poorly secured user interfaces that allow SQL injection, or dependencies on third-party libraries that contain security flaws. A range of automatic vulnerability checkers now exists for all these problems, suited to various application types and sizes. Many of these tools can be added to a build process with just a few clicks in popular developer repositories, such as DevSecOps in GitHub and DevSecOps with GitLab.
But a developer can't check everything all the time. The team must decide at what point to run checks, how much time they want to add to the build process, and where the most urgent priorities lie. A DevSecOps pipeline documents these decisions and ensures they are carried out.
For instance, where should you incorporate a tool such as Red Hat's Project Thoth, which checks common security databases and reveals flaws in your third-party libraries? If you discover a problem in a function call buried deep within your application, you had better determine right away whether your application is at risk, and if so how to fix the problem. Should you upgrade, back off to an old version of the library, or replace the library altogether? You'll want to learn about the flaw as early in the development cycle as you can, so you might take the time to run the tool upon every check-in to version control.
On the other hand, when it comes to running a common code scanner for, say, bugs in memory management code, you might choose to wait until you are ready to build a full version of the app for testing. Memory management flaws might be critical, but they are usually quick to fix.
The key to DevSecOps is that a team and its security advisors can discuss the tools and trade-offs available for each code base and then bake their decisions into builds.
Dynamic scanning and penetration testing
Security experts know that they can't rely on applications to be safe in a production environment, even if the developers have run a battery of static tests. DevSecOps lets developers ensure that every container they launch is checked regularly at runtime by a penetration tester, intrusion detection system, and other such tools.
An automated approach to securing devices
Many organizations are losing control over their endpoints. During the COVID-19 shutdowns, workers obtained access to critical systems and assets from their homes and even their local cafes. Within the workplace, "bring your own device" (BYOD) became popular well before that.
The standard security practice in this situation is to scan networks for all devices that connect. A database of approved devices helps restrict access to authorized devices. Such access can also be restricted to particular locations and times of the week. Penetration tests and other tools can even check whether the device has a password and up-to-date software.
To institute such protections, the IT team has to consult with managers of all departments. The organization needs processes for registering devices along with their owners, and for scanning networks regularly. Some of these processes can be incorporated into the development process through DevSecOps. For instance, your configurations can ensure that a scanner is running, as well as a process that monitors logs and alerts.
Similar processes can formalize other organizational protections, such as firewall rules and access control lists.
Conclusion
DevSecOps is about more than tools and processes. It brings transparency and validation to the crucial area of cybersecurity. All relevant stakeholders can weigh in on security decisions and be sure that the developers incorporate their concerns into development and build processes. Security on a 24/7 basis no longer depends on the day-to-day vigilance of developers or operators; instead, it is enforced by a system where cross-functional teams are working in alignment.
In organizations with constant innovation and heavy dependence on network applications interacting with people around the world, DevSecOps gives developers, operators, and managers more peace of mind.