Transcription
DevSecOps:The gatewayguide to integralsecurityThe software industry has long neededa more effective way to developsecure products. Cyber-attacks alwaystargeted weaknesses in software, andthe rapid digitalization of every aspectof life means that everything from ourpower supplies to our retail habits areunder threat from insecure software.1DevSecOps is transforming the waybusinesses develop secure products.By ensuring security is part of everystep of the development process,the impact of security on costs andtimelines is both reduced and mademore transparent, whilst overallproduct security is improved.
WHAT ISDEVSECOPS?A combination of development,security, and operations, DevSecOpsis a practice that implements securitythrough every step of the softwaredevelopment process.DevSecOps is an expansion ofthe practice of DevOps. Whilstsecurity is frequently consideredand implemented through DevOps,DevSecOps ensures tangible securitydecisions throughout the softwaredevelopment life cycle (SDLC). The shiftto DevSecOps, from DevOps, entailsall the benefits of DevOps – speed,performability and increased flexibility– whilst implementing security in a waythat doesn’t compromise efficiency.DevSecOps is a more agile way ofapproaching security, encouragingmore secure outcomes. It’s a morestreamlined approach as opposed toadding on defence measures afterthe software program has been built,often at great cost and with significantimpact to timelines.TH E 5 PI LL ARS OFD EVSECOPSCULTURE – DevSecOps, nor DevOps, areabout simply ‘add-on’ tools or isolated software.DevSecOps is about behaviours and repeatedpractices, making it an IT culture.AUTOMATION – The backbone of DevSecOpsand DevOps is about speeding up deployment.Automation in DevSecOps reinforces fasterdeployment, utilising technology through eachstage of the SDLC to enhance efficiency.LEAN – Lean IT is also considered an organisationalculture in IT. It essentially boils down to wastemanagement; eliminating components andprocesses that do not add value.MEASUREMENT – Software delivery throughputcan be measured through metrics withDevSecOps/DevOps. These metrics are valuableto understanding how teams can improve theirsoftware delivery.SHARE – Development teams and operationalteams have long been divided in theirresponsibilities and duties. The DevSecOps culturebridges this divide, requiring teams to work togetherand share responsibilities for operational success.These 5 pillars make up the CALMS framework. Thisis something we will talk about in a bit more detailfurther along in the guide.WH AT I S T HE DIFFE R E NC E BETWEEND EVO PS A ND DEVSECO P S?Essentially, DevSecOps is an evolution of DevOps.management and line of business. The DevSecOpsBoth focus on integration and automationphilosophy, however, was born with the goal ofthroughout the development process, includingdeploying security as an unavoidable practice,incorporating various inputs such as riskcreating secure infrastructure as code.2DevSecOps
SECURITY THROUGH DEVELOPMENTSecurity is never completed, perse. It is something INFRASTRUCTURE AS CODE – This is a conceptwhere, when applied to DevOps, managesthat needs to be developed, repeatedly, and it mustinfrastructure code in the same way that code forbe developed within development. With DevOps,any other kind of application would be managed.it’s more common that security will be a loomingAs opposed to manually adjusting code,obstacle at the end of a development cycle, but withinfrastructure as code (IaC) can be maintainedDevSecOps, security is deeply rooted in every process.through development. This is key in both DevOpsand DevSecOps and is used for version control,CONSISTENT REPORTINGDevSecOps helps to ensure consistent reporting andlogging across the board. Unlike DevOps, DevSecOpsembeds threat modelling as part of delivery. This waycontinuous monitoring and continuous delivery. CI/CD – Continuous integration (CI) is a practicewhere developers frequently integrate their codethere is a consistency in resolving vulnerabilities andchanges into a central repository. These codereporting which enhances overall performance.changes will then go through an automatedbuild and test run. Continuous deliveryREGULATION OF DIFFERENCES(CD), sometimes referred to as continuousFrom team to team, each tend to ‘do’ DevOpsdeployment, is an expansion of CI, where codedifferently. So, how can security be effectivelychanges are deployed to a testing environment,practiced or regulated? Without the right frameworkfollowing the building stage. CD integrates allat the start of a DevOps cycle, you get into a quagmirechanges, such as bug fixes and experiments, intoof change where nobody can truly achieve changeproduction. Using CI and CD makes for goodbecause each team is doing it differently.practice for developers and security teams. Theseare processed through short cycles, allowing forfaster and more frequent software delivery.SCALABILITY AND FLEXIBILITYSome may not be able to identify differences withinDevOps and DevSecOps. Whilst DevOps is scalable PIPELINE – often referred to in the context of aand flexible, DevSecOps is more so. The consistencycontinuous delivery pipeline, a pipeline is a setin standards mentioned through the two previousof processes your code changes will undertakepoints offers an increased amount of flexibility. Thereon their way to production. Automated tests,is an issue of scalability with DevOps. Teams will oftenbuilds and deployments are coordinated as onebe passionate about the culture, adopting it entirelyworkflow. Pipelines in reference to DevSecOpsand then realising it doesn’t quite scale the way theysimply means integrating security as an ongoinghoped. DevSecOps enables more scalability.process through your DevOps pipeline.UNDE RSTA NDING COMMO ND EVO PS TE RMS AND T HE IRR E L EVA N CE IN A DEVSECO P SCO N TEXTDevOps and DevSecOps are more than just amethodology, they are a culture. To truly be able toimmerse yourself and your business in the worldof DevOps, you must be able to comprehensivelyunderstand it. Below are some key terms used inDevOps and how they relate to DevSecOps. AUTOMATION – Whilst automation isn’texclusively a DevOps term, it does go hand inhand with the practices of DevOps. Throughthe DevOps lifecycle, there is a wide varietyof processes that take place. Automation,conducted by technology, enables theseprocesses to be streamlined, fast and free fromhuman error. In the context of DevSecOps,incorporating security principles throughautomation allows for shorter feedback loopsthrough the SDLC which enables engineersto identify and resolve security issues at arapid rate. Automation as a part of DevSecOpsempowers teams, accelerating security andcreating a seamless operation for businesses.3Managed Services
THE BENEFITS OF ADEVSECOPS APPROACH?The overriding benefit of DevSecOps,in a sentence, proactive, end-to-endsecurity, integrated though eachphase of the software developmentcycle. This practice has beenintroduced to accommodate theever-changing nature of the ITlandscape and can hugely benefitall kinds of organisations involved indeveloping and deploying softwareapplications.4Placing security earlier in thedevelopment process is one thing,but this is about embodying a cultureof secure first code, continually usingmetrics to spot trends, sharing allfindings across the organisation,automating everything and drivinglean methodologies to create highlyefficient delivery teams.DevSecOps
COST-EFFECTIVE – An EMA report conducted in 2017found that DevSecOps initiatives had better ROI (ReturnSECURITY AND DEVELOPMENT TEAMSCOLLABORATE MORE EFFECTIVELY –on investment) over traditional security infrastructures.DevSecOps encourages development and securityThe report also found that SecOps best practiceteams within an organisation to work together,reduced operational costs.combining skills and knowledge to solve problems.The SDLC is a process that, whilst predominantly inDevSecOps can help reduce costs by integratingthe hands of developers, is enhanced and optimisedsecurity into code from the very beginning. It is oftenthrough other practices such as implementing security.costly to repeat a process in an attempt to fix a securityissue that teams come across. With the delivery ofDevSecOps, organisations can avoid security issues thathappen further down the line, which can result in timeconsuming rebuilds and the late release of products.THREAT MODELLING – Threat modelling is a keycomponent in DevSecOps. In most DevOps practices,threat modelling tends to get neglected by developers.Maintaining the DevOps ethos of keeping code shortthrough each step of the SDLC allows for a consistentassessment of vulnerabilities in an application inDevSecOps.SPEED – DevSecOps manages to imbed securitythrough code, without compromising on deploymenttime. Code is shorter in DevSecOps, which createsdigestible chunks of code that can be managed andchanged, quickly and easily.AGILITY – DevSecOps maintains, if not increase, agilityfor businesses across operations. Release cycles areshortened, enhancing cybersecurity and overall delivery.Continuous delivery, integration, logs, monitoringand scalability are treated through the agility thatDevSecOps offers.The ethos of embedding security throughout theentire SDLC, preventing other time-consuming issuesat the end of the process, also enables a degree ofagility for teams.This security practice requires teams to collaborate toensure alignment across the application lifecycle. Asteams tend to work together in DevSecOps, as opposedto working in silos, operations function more smoothly,with the chance for teams to effectively communicateand share ideas.IMPROVED SECURITY – DevSecOps encouragessecurity considerations and prompts teams tounderstand crucial principles and their organisation’ssecurity posture.Throughout the entire SDLC, code is audited, reviewedand scanned to test for security issues. Like anythingwe ‘practice’, this is done repeatedly to enforce optimalconduct. If security issues are detected, they are dealtwith before other dependencies are introduced.DevSecOps solutions frequently remind teams of theirsecurity responsibilities. Through collaboration, makingit everyone’s responsibility, security implementations aremade stronger.MORE EFFICIENT DEVELOPMENT ANDDELIVERY – DevSecOps irons out the developmentprocess, setting a steady foundation for code throughevery stage. As a result, the application is strongerand more reliable than one that hasn’t been builtthrough DevSecOps. By identifying security issuesearly in the process, these can be effectively solved,and development can adapt and evolve accordingly.DevSecOps helps with noticing certain repetitivesecurity issues. These can then be addressed with theright training or tools, which isn’t just good practice,but, through the learning process, can provide valuableknowledge to relevant teams.5Managed Services
COMMON DEVSECOPSSECURITY TERMS:A BRIEF EXPL ANATIONBelow are some security terms thatare used in the DevSecOps culture.Looking through these terms willhelp to deepen understanding ofDevSecOps and the various processesinvolved in the practice.SHIFT LEFT – Shift left encompasses the entireDevSecOps ethos. It encourages software engineersto shift security from the right of the SDLC to theleft –the beginning of the delivery process. Securityis typically done through the ‘right-hand side’, whichis when it’s implemented at the end. This right-handapproach can result in significant work at the end ofthe development process.SAST – An acronym for Static Application SecurityTesting, SAST is where static and precompiled codeundergoes a scanning process to discover potentialvulnerabilities.DAST – Dynamic Application Security Testing is similarI M PLEM ENTI N G D EVSECO P SWI TH RIVERSAFEto a penetration testing tool. Through simulating anDevSecOps is the most efficient way forattack on a system, DAST tools can find vulnerabilities inorganisations to build and deploy securea running application.applications.SBOM – Software Bill of Materials informs teamsRiverSafe can help organisations and securityabout what open-source software components areteams migrate to a DevSecOps Approach, ensuringbeing used and identifies the architectural or licensea successful shift left transition.risks and security vulnerabilities in those components.RiverSafe is the industry expert you need toSECRET SCANNING – Secret scanning tools scanhelp your team understand how to integraterepositories for known types of digital credentialsDevSecOps into your infrastructure andto prevent deceptive use of accidentally committedoperations. Contact us today to find out moresecrets.about implementing DevSecOps with RiverSafe.CALMS – As discussed earlier, Culture, Automation,FURTHER READINGLean, Measure and Sharing make up CALMS.Want to know more about this topic? Below areCALMS is a model that assesses an organisation’ssome useful books to read.DevSecOps structure. Because DevOps cultures areevolving, maintaining regular evaluations throughmodels like CALMS helps to ensure teams andsystems are maturing with the practice. The Phoenix Project by Gene Kim Accelerate: The Science of Lean Softwareand DevOps: Building and Scaling HighFUZZING – This is an automated software testingPerforming Technology Organizations bytechnique which, in its essence, sends intentionallyGene Kim, Jez Humble, and Nicole Forsgreninvalid data to a product with the aim of activating anerror condition. These triggered error conditions canthen signify system vulnerabilities.6 Spirit of Kaizen: Creating Lasting ExcellenceOne Small Step at a Time by Robert MaurerManagedDevSecOpsServices
process through your DevOps pipeline. AUTOMATION - Whilst automation isn't exclusively a DevOps term, it does go hand in hand with the practices of DevOps. Through the DevOps lifecycle, there is a wide variety of processes that take place. Automation, conducted by technology, enables these processes to be streamlined, fast and free from
