When DevOps as a practice came into being, the aspect of security was not even a forethought, but it was considered as a separate area to deal with later on. The concept of DevSecOps has brought in the IT security aspect, right at the stage of development and not as an afterthought.
- A new organization will fall victim to ransomware every 11 seconds by 2021
- Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defence
- 34% of businesses hit with malware took a week or more to regain access to their data
These statistics are disturbing and real and bring the focus on application security right from the development stage with no leeway given to security exceptions or sign-offs.
The success of the DevOps approach
DevOps approach, to a large extent, can handle today’s demands of new approaches to IT operations and application development, and newer threats, malware and dangers. It has been able to deliver quality, stable solutions, faster development, deployment and services and fewer failures and bottlenecks. The whole application development process is broken down into smaller segments and that is the reason why new features and releases are produced more often as a result of this integration and understanding. DevOps techniques ensure continuous development, integration, automated testing, delivery and deployment, thus delivering rapid and frequent development cycles became a DevOps success story, driven by development (Dev) and operations (Ops) teams.
There were separate specialized teams that came together to deliver on this, but integration was key. In the continuous integration (CI) and continuous delivery (CD) channels, when IT security was mixed, then DevSecOps came into being.
The entry of DevSecOps
With DevOps alone, it was about the experiences, culture and collaboration between IT operations and development teams, but with security entering the scene, there was a complete revamp of culture, education and integration, which was needed.
DevSecOps works in tandem towards a common goal of rapid and secure development and delivery, riding the wave of continuous improvement. In this equation, IT security is important and the responsibility is the development, operations and the security teams together.
A few DevSecOps best practices
- The first step is to conduct a risk/benefit analysis to understand the risks, know what can be mitigated and what cannot be mitigated and its benefits.
- Automation plays a key role since manual checks for security risks and vulnerabilities are time-consuming, inefficient and sometimes ineffective. Enhanced automation through automated security controls and tests helps reduce mistakes, bottlenecks, attacks and downtime, sometimes eliminating it altogether.
- Threat modelling, source control repositories, container registries, application programming interface (API) management, containers and microservices are just some of the various tools and practices available in the armour of DevSecOps. The development teams can use the security tools and practices that can be easily integrated into the DevOps toolchain.
- Other aspects of incident management with appropriate and timely response workflow, continuous threat hunting, etc. is part of DevSecOps methodology.
- Education and awareness among the teams about information security aspects of infrastructure, industry threats, known bugs and risks at the beginning of the app or product lifecycle is essential. If this means to train or retrain development (Dev) and operations (Ops) teams on security awareness on a regular basis, then it is worth the investment of time and effort.
One security champion in the team with a security mindset is not sufficient. Whether you are a product developer, technical architect or a scrum specialist, what is important is not just the quality of the code, but overall security of the application and the data that runs through it. While development teams can fix some security-related bugs on their own, the larger aspect of application security can be answered only, when most, if not all security aspects are covered and adequate tools are used to monitor and control the situation. The team can also go to the larger IT security department that looks after governance, security policy compliance and risk management for guidance.
Software security at the onset of developing and deploying applications is better for the company, its products and services and for its reputation. The business and IT objectives of increased sales, reduced costs, better software with fewer failures, improved performance and perfect deployment can be met, when the DevSecOps approach is embraced, without compromising on security and compliance. The emerging technologies and tools are only making it easier. If DevOps approach is beneficial for organizations, then DevSecOps empowers them by maintaining stability, security and quality, while delivering on these business objectives. Contact us today.