DevSecOps: Why you should care and how to get started

The increasing popularity of DevOps software development methodologies has led to shorter and more agile life cycles, in which software is released and deployed in minutes or hours rather than the days, weeks, or even months required under traditional practices. However, many development teams still experience delays in getting releases into production due to the security considerations that are traditionally brought to bear at the end of the life cycle. To address this, organizations are more and more frequently adopting a DevSecOps approach.

What is DevSecOps?

DevSecOps includes security in DevOps practices by embedding (or left-shifting) security into applications early and continuously through a rapid, iterative, and automated software development life cycle (SDLC). The main goal is to produce more secure code more quickly. DevSecOps doesn't aim to turn developers into security experts, but rather educate them in best practices that promote more secure development processes.

In practical terms, DevSecOps:

• Promotes secure coding standards and provides automated and repeatable testing.
• Uses static and dynamic code analysis to quickly find and remediate weaknesses and vulnerabilities in code.
• Applies secure configurations to provide a secure and compliant development environment.
• Continuously monitors the production environment for security threats and provides visible governance metrics for both security teams and developers.

Why should developers care about DevSecOps?

Organizations that foster a DevSecOps culture can become more agile and respond more quickly to change and innovation, while still meeting regulatory and organizational security goals. Development teams can roll out applications more quickly—without sacrificing security, while still meeting compliance standards. Automated compliance processes can lower costs, and historical data can be made visible and tracked to analyze trends and quickly identify potential vulnerabilities and exposures.

DevSecOps can decrease the potential risk for your organization and your customers by implementing a few simple strategies:

• Writing secure code and sharing best practice guides across development teams. This creates a more collaborative environment where everyone is responsible for security risk.
• Identifying and fixing vulnerabilities earlier in the life cycle. Typical security testing takes place near the end of the development cycle, such as during user acceptance testing or in staging or pre-production environments. Developers end up patching or rewriting code at this late stage when security flaws are discovered. That's counterproductive and increases time to production.
• Implementing an integrated development environment (IDE) security plugin. This can help developers check for security flaws while coding. There are many options, with two examples being the OWASP SAST plugin and the Snyk IDE Plugin. Using the same IDE across development teams will also lower onboarding time and increase collaboration.

How can you get started with DevSecOps?

A shift to a DevSecOps philosophy will not happen overnight and will require buy-in at all levels of your organization. Planning and resources are required to begin the journey. A good place to start would be to identify developers who are already aware of the concepts; they can then become ambassadors to help enable other teams.

If your development teams want to implement DevSecOps for their projects successfully, the following suggestions can help overcome common challenges and get them started.

Mindset and culture change

Consider what a DevSecOps collaborative culture looks like for your development teams. How willing are team members to share the responsibility for security throughout the DevOps value chain? What is your security debt—in other words, how many vulnerabilities have made it into production because developers have chosen not to fix them?

You'll want to identify security priorities, responsibilities, and communication paths for team members throughout the development life cycle. DevSecOps isn't just about providing tools; you'll also want to change people's perception of security and create more security-aware cross-functional teams. This fosters a culture where security is built in by default rather than bolted on at the end of a project.

Learning and training

Consider the additional security-related skills that developers and other team members need to acquire so that they can independently resolve security-related bugs. Formal in-house and external training can raise awareness and allow more experienced developers to mentor others within your organization. These mentors could then run short "Lunch and Learn" sessions with other developers to promote usage and understanding of DevSecOps practices within other development teams.

The following Red Hat courses and training can assist you:

• Red Hat DevOps Pipelines and Processes: CI/CD with Jenkins
• Red Hat Certified Specialist in Security: Linux
• Various articles in the Red Hat Developer training program

Integrate security into CI/CD pipelines

A good way to start with DevSecOps is to create an initial team to evangelize its benefits. Start small so as not to be overwhelmed; for instance, the team could start with a small project that will enable them to hone their skills and create "ways of working" frameworks for other teams. The team should include members from the development, security, and infrastructure groups, as you'll need input from all these areas to plan the move to DevSecOps. Look at implementing a few essential security checks into the SDLC as a proof of concept, but remember to keep it simple at the beginning.

Tools such as Jenkins, CircleCI, and Bamboo will help automate the parts of software development related to building, testing, and deployment, and should include security checks in the process. If you already have continuous integration/continuous delivery (CI/CD) tools and processes, it should be quite straightforward to add security checks into the mix.

Examples of security checks include:

• Enforcing secure coding and defensive coding standards.
• Looking for source code vulnerabilities.
• Scanning external libraries.
• Using a trusted software supply chain.
• Image vulnerability scanning (consider using a product such as Red Hat Advanced Cluster Security for Kubernetes).
• Identifying compromised credentials (e.g., passwords, secrets, certificates, API keys, and so on).
• Static application system testing (SAST), which analyzes development source code for security vulnerabilities and quality issues such as SQL injections or cross-site scripting.
• Dynamic application security testing (DAST), which analyzes running applications for execution vulnerabilities. This includes black box testing techniques such as fuzz testing.
• Active and passive penetration testing.

The results of these tests should be fed into the CI/CD tool, along with the decisions made on the next steps. It's critical to provide feedback to developers at this stage so that security is not seen as a blocker to deployment.

From here, you'll be able to create common, sharable automated pipelines that include security checks into your application development processes. This approach will ensure that security and consistency are built into your applications from the very beginning. Security doesn't stop after deployment; continuous monitoring and alerting are required during the complete life cycle of an application.

How can DevSecOps help with regulatory compliance?

If your application manages payments, handles sensitive customer or patient data, or operates in a regulated market, then there are industry and regulatory standards that you need to meet and monitor. Some organizations may also require that you complete proof-of-compliance or authorization-to-operate documents before you can deploy applications into production environments.

Compliance goes beyond pure code and can also require additional artifacts, including:

• Up-to-date documentation that describes data flow, mitigation against accidental data egress, and access controls. Documentation can also include instructions on the secure use of the application.

Tip: Following coding naming conventions and structured programming conventions will provide nearly self-documenting code, which can minimize the effort required to support and maintain that code.

• Proposed patching processes for the application, with SLAs relevant to the associated risk categories.

Tip: Using the most up-to-date Universal Base Images provides a higher level of assurance when it comes to vulnerabilities and patching.

• Update and release controls to demonstrate and confirm security checks before deployment.

Tip: Using a GitOps process can implement change control efficiently and effectively, with metrics that show where an application is in the SDLC.

• Documentation on the complete supply chain, including a software bill of materials that shows what components and vulnerabilities are in the software and associated third-party libraries.

Tip: Check out the Generating software bill of materials video produced by the Linux Foundation.

Weaving automated security compliance audits and controls into your SDLC will reduce the time developers will need to meet compliance requirements, allowing them to concentrate on developing software while adhering to all security policies.

DevSecOps: Security + agility

DevSecOps is all about automating and integrating security within all phases of the software development life cycle to produce more secure code more quickly and easily. Getting started requires that you change your mindset and organizational culture to collaborate and share responsibility for producing secure and compliant code, using tools and processes to implement security checks into CI/CD pipelines, and implementing automated security compliance audits and controls to comply with regulations. There is much more to DevSecOps, and you can explore it further as you build upon the foundation of these initial recommendations.

Here are a few resources to continue your DevSecOps journey:

• Modernize your life cycle and reduce risk with DevSecOps
• How to deploy a comprehensive DevSecOps solution
• Modernize and secure your application life cycles with DevSecOps

You can also explore tutorials, videos, and more on Red Hat Developer's DevSecOps and automation topic pages.

Last updated: August 26, 2022