For a long time, DevOps was the perfect paring of software developers and operations folks working together from initial design, through the development process, to production and support. Built around shared tools and coordinated processes, DevOps is a mindset that emphasizes collaboration between an organization's operations, development, testing, and support teams. Covering the entire software development lifecycle (SDLC), the DevOps goal is to improve agility and the quality of application delivery.
Fast forward to today and we find that things have gotten a lot more complicated. Apps are running on myriad devices and across the Internet. Cybercriminals seem to be lurking around every corner. In this brave new world, DevSecOps takes DevOps one step further by recognizing that security needs to be “invited to the party,” infusing every aspect of the SDLC.
Just like automotive manufacturers need to “build security” into their cars, software developers need to “build security into their code.”
Doing More with Less
The role of today’s software developer has become multifaceted, with increased responsibilities to do more in less time, all while keeping applications secure. In this environment, speed of development and security can end up in conflict – often with security being overlooked.
The goal of DevSecOps is to build security in from the beginning rather than trying to tack it on at the end. DevSecOps takes a holistic approach, with everyone who touches an application, from development through testing and into production, sharing security DevOps goals.
Born of the need to improve the agility of IT service delivery, the DevOps movement emphasizes communication, collaboration, and integration between software developers and IT operations teams. By adding security to the mix, DevSecOps breaks down even more silos. It helps an organization deliver more secure software and more responsive IT services with greater speed and more frequent iterations by:
1. Taking a holistic approach (not just thinking about your bit, but the whole system)
2. Collaborating rather than competing (sharing knowledge, meeting common goals, and taking advantage of that second set of eyes)
3. Encouraging rapid, useful feedback (going broad and deep)
4. Automating routine tasks (to reduce the number of things that can go wrong)
How Security + DevOps Can Deliver More Secure Software
The power of DevSecOps lies in the fact that it integrates security early in the SDLC. Development, security, and operations are all essential pillars underpinning the application delivery and deployment process. And application security testing acts as a foundation for DevSecOps. The key goals of each team are complementary and baked into the end-to-end process. The aim is to get it right the first time, and when you don’t, applications can go through quick, agile iterations.
10 Tips for Building a DevSecOps Culture
If your teams are working in silos, you need to make sure that they are willing to accommodate the cultural changes that come with a DevSecOps approach:
1. Learn to trust
2. Understand motivations
3. Eliminate blame
4. Embrace smart failure
5. Focus on bottlenecks and flow
6. Eliminate unplanned work
7. Be continuous
8. Form dedicated, cross-functional teams
9. Love transparency
10. Build autonomy, mastery, and purpose
Remember, DevSecOps is a great opportunity to get security right!
Findings from the 2015 State of DevOps Report:
- High-performing IT
organizations experience 60X fewer failures and recover from failure 168X
faster than their lower performing peers. They also deploy 30X more
frequently with 200X shorter lead times.
- Lean management and
continuous delivery practices create the conditions for delivering value
- High performance is
achievable no matter if your apps are greenfield, brownfield, or legacy.
Adding security to the mix pays additional dividends.
Because of the ever-changing threat landscape, it’s the rare application that can be made absolutely bulletproof. But you can make your applications highly resistant to current and emerging security threats.
This starts with your DevOps teams, who need to be trained on security principles, best practices, and writing secure code to address the top security vulnerabilities that end up manifesting themselves in production. Once trained, you need to incentivize your developers so that writing secure code is a regular part of their planning and coding processes.
The Bottom Line
Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility, and speed of DevOps and agile development environments.
DevOps provides a huge opportunity for better security. Many of the practices that come with DevOps, such as automation, emphasis on testing, fast feedback loops, improved visibility, collaboration, consistent release practices, and more, are fertile ground for integrating security and audit capability as a built-in component of your DevSecOps processes.
Security measures built into applications minimize the likelihood that unauthorized code will be able to manipulate applications to access, steal, modify, or delete sensitive data.
Only when you get your DevOps and security teams all on the same page will your organization be able to reap the significant benefits of "DevSecOps."