Following on from a previous article on DevOps, we have seen a lot of questions about DevSecOps. Specifically; how does one ensure systems, that are rapidly developed and deployed, are sufficiently secure?
With all this speed, is there more risk? The short answer: Not if you do it right.
That said, we are now in a time where speed and innovation are often the primary business priorities and this directly influences how software is developed. At the same time, these systems have access to more data than ever before, much of it of a sensitive nature. As a result, developers of such systems have a huge responsibility to ensure that they are secure but at the same time are under pressure to deliver faster and faster. This is where the problems often creep in.
So, how does DevSecOps help?
As you have probably guessed from the name, DevSecOps integrates security considerations and responsibilities into DevOps practices. With DevOps, the operational considerations of a software system are considered at all phases of the development value stream – from design, through to implementation, testing deployment and onwards. DevSecOps builds on that practice insisting that security is also considered at all stages, ensuring it is given the attention it deserves.
As with DevOps, a critical element of DevSecOps is the culture of the development team. Tools can help; but if your team does not treat security as a priority or does not understand the risks of the practices, technologies and architecture they are using, it will not be enough.
Your first priority on the journey towards DevSecOps proficiency should be to build the right culture: make security a priority, set clear expectations for system/information security and educate your development teams. Any existing security-specific roles should be included in this process, with the goal of integrating them into the development process going forward. If you need to recruit new security specialists in to your team, do that too!
Once the groundwork is set, you can look at how security considerations can be integrated into you existing DevOps practices:
- Include your security team members in your requirements sessions
- Include your security team members to you design meetings (software and infrastructure)
- Use regular Threat Modelling to identify the risks in your application(s).
Doing so will likely identify areas for improvement, in both your development practices and the application(s) themselves.
The most valuable changes to adopt will vary depending on the specific development team(s) and their application(s). Frequently, the largest gains will be achieved by changes to application design and infrastructure architecture: Adhering to the principle of least privilege, minimising blast radius, etc. This is why security should always be considered at the design stage; so it is not an expensive retro-fit process.
DevOps principles and automation can be used to support/enforce these practices. For example:
- Infrastructure As Code (IAC) templates that implement standardised security principles by design
- Container patching as part of continuous deployment
- Automated test suites ensure that architecture improvements don’t break features
These are only examples, some of which may not apply to your team. However, there are some DevSecOps practices can be applied to most projects:
- Incorporate Threat Modelling into your requirements/design process
- Perform Static Application Security Testing (SAST) as part of your CI process
- Perform Dynamic Security Application Testing (DAST) as part of your CI/CD process
- Check your dependencies as part of your CI process – particularly if you use open source software components
To summarise: DevSecOps is all about making security a priority across the entire development process as well as the applications themselves. Security is never 100% guaranteed; but by designing security into your systems and processes from the start, iteratively improving and testing at every stage; you are taking a significant step towards that goal.
I think we can all agree that security should be a priority, so incorporating DevSecOps practices into your business should be high on your to-do list too.