Table of Contents
What Is DevSecOps?
DevSecOps is a practice that combines principles of DevOps and IT security to ensure faster and quality delivery along with secured software product.
Before getting into this, Let’s recollect the terms and words.
DevOps, Is a practice that combines Software Development and IT operations to quickly deliver new features, bug fixes and updates with better quality.
CICD, Continuous Integration and Deployment is the practice where developers and the stakeholders of the team frequently integrate their work Delivers in the respective environments to ensure the stability and quality of the integrated product then and there.
Delivery Pipeline, Is a planned workflow that brings story from the backlogs to Develop, Build, Test and Deploy on respective environment and finally to production.
Continuous Monitoring, To ensure the stability of the product, keep eye on the product we build and the infrastructure we created for hosting it along with the operational activity of it.
DevSecOps in Software Life Cycle
Let’s talk about the DevSecOps.
DevSecOps enforces the security standard while building, and deploying even after the Release. DevSecOps Spans the full software lifecycle. Just like DevOps, DevSecOps flows through the entire Development, Build, and release process, operational activities like configurations, Monitoring, and support. Along with this DevSecOps Ensures the Security around the DevOps ecosystem.
So DevSecOps adds more practices and standard procedures in terms of Security into DevOps practices. Before every Deployment, Code and the package need to be tested and verified whether it is in compliance with the security policy and the workflow created by the DevSecOps Lead or the Software Architect.
Security Policy and workflow are basically derived from the coding guidelines such as CERT or CWE or OWASP or PCI-DSS or all together. Once Code is been committed to the version control and raised the request to merge with the master branch, DevSecOps Lead or Software Architect will review the code whether it is in compliance with the security policy or not. For the same, tools like Parasoft QUASAR, Tenable-sc, IBM’s Rational Integration Tester, CA LISA can help us viewing the Security policy compliance dashboard visually.
Security Consideration Area in DevOps Ecosystem
The Security in DevOps is not only defined in the Development phase. We have to implement and follow the other security policies in Operational and business too to ensure the secured product release. The following are the areas to consider for security governance.
- Business level Security – Where it should define Who can access which part of the application, Who can access which module or API. This will ensure all business level governance or business justifications.
- Internal Security – which is about the threat and risk within the infrastructure (Not about the production). Where in which internal process phase, Which internal application or tool can be designed.
- Operational Security – Where this is about, Patching and security upgrade in the operational environment. Say an organization is having a cloud infrastructure and all its operations are maintained by the Cloud service provider. So It is mandatory to review or recheck the infrastructure whether it is securely configured and compliance with the policy.
- Development Policy – which ensures not only the coding standards but this should ensure the access management and communication medium of the team whether
it compliancewith the security standrads.
In General, the following steps are the first foot prints before creating the threat modeling and security architecture.
- Implement the Security Strategy – This is the basic strategy that satisfies standards like OWASP top 10.
- Security Testing – Security Testing should verify and report the status of Security Strategy.
- Continuously Monitor – After the Release, Application with the entire infrastructure should be monitored and detect the attack as per the definition and prevent the disaster.
- Preventive Analysis. –
Analysethe entire application where ever there is an anomaly and predectthe possible attacks and raise the ticket to fix. This may be hot fixingor the new feature developemtor operational service request depends on the severiotyof the threat.
So Lets Talk about the Security Pipeline.
Just like the Delivery pipeline, Security has its own process workflow from story backlog to release to backlog again. Also it is traveling along with the DevOps Pipeline.
Just like any other monitoring system, We need to create a mechanism that resides inside the system and identify the possible events. Then we need to Analyse the status and metrics that are identified. Then Notify the system to rework or fix or work on it.
So, Just like DevOps, DevSecOps is the practice and by doing in the right way, We can be matured in the culture of Software Development in Secured ecosystem.
Keep follow Digital Varys for his more whispers on the Technologies and Tools that empowers the DevSecOps Ecosystem
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.