What is DevSecOps?

DevSecOps is about shifting security in the Software Development Lifecycle (SDLC) “to the left” (i.e., earlier). In practical terms, DevSecOps (short for Development, Security and Operations) enables development teams to incorporate strong security measures into the SDLC from the outset, making software development and security a collaborative approach. In other words, security is “baked in early,” not “tacked on later.”

This new approach to security differentiates DevSecOps from traditional SDLC practices. In the latter, security considerations entered late, and were the sole responsibility of specific teams in the final stages of development and testing. Sometimes teams even ignored or postponed security reviews and fixes to speed up time-to-market. This resulted in insecure code that made the final product vulnerable to data breaches and other cyberattacks. DevSecOps is a radical departure from this sub-optimal approach, since it integrates strong security practices from the very beginning – and at every stage – of the SDLC.

DevSecOps focuses on:

• Test-driven security (TDS): Write security tests representing desired behaviours, then implement the necessary controls
• Continuous monitoring and response: Implement strong processes for issue logging, intrusion detection, and incident response
• Risk assessment and security testing: Evaluate application security with vulnerability scanning and configuration auditing

What is the Goal of DevSecOps?

In the past, when development cycles were long – extending for months or even years – a “development first, security later” approach was acceptable. But now, when cycles are much shorter and organizations are looking to become more agile and flexible, the older approach just doesn’t work. DevSecOps is about incorporating security into the entire SDLC, enabling development teams to find and fix any issues early on before they move down the SDLC and cause bigger problems later.

DevSecOps Benefits

Faster, Cost-effective Application Delivery

As a collaborative approach, DevSecOps roles and responsibilities are intertwined and interdependent. Development, Operations and Security teams share responsibility for security from end to end. By shifting left, they can speed up security testing and raise the assurance level within the SDLC. They can also quickly fix any issues to accelerate delivery and avoid costly, time-consuming rework. 

Think about it this way: if you are building a house, you don’t wait until the walls are up, the roof is on, and everything is painted and furnished before you check to see if the floors are level. By then, fixing the issue can be costly and time-consuming. You do that early on, so that it is easier to fix if things are off. You do the same with corners, walls, rafters, etc. The DevSecOps approach was designed and developed to help prevent costly and time-consuming security issues later.

Proactive, End-to-end Security

Security teams share feedback and insights on known threats so developers can code with security in mind. The DevSecOps pipeline includes continuous – often automated – security checks, threat monitoring and vulnerability scanning. This mitigates risks that may otherwise impede the delivery schedule, and negatively impact the application and end-users. 

Accelerated Vulnerability Fixes

With the DevSecOps model, teams run security checks as part of the build. As a result, they can find common vulnerabilities and exposures (CVE) early, allowing them to fix them faster. If there is a security incident, DevSecOps helps speed up recovery, so there’s less disruption to delivery, deployment and time-to-value.

Security Automation Compatible with Development Goals

Security automation in DevSecOps enables teams to accelerate innovation with new technologies like containers and microservices. They can also integrate security-driven coding and testing into the SDLC with minimal disruptions to the delivery schedule. Automated test suites are also useful in a Continuous Integration/Continuous Delivery (CI/CD) pipeline.

Getting Started with DevSecOps

To transition to the DevSecOps model, organizations must change the way they view security, and how they achieve it. 

In a recent survey:

• 42% of respondents said testing happens too late in the SDLC
• 36% reported it was hard to understand and fix discovered vulnerabilities
• 31% found it hard to prioritize vulnerability remediation
• 29% of security team members said that everyone should be responsible for security

Making security an intrinsic part of the DevOps process is the most efficient answer to these challenges. This requires regular conversations about security, integrating policy-as-code within the DevOps workflows, streamlining workflows, and centralizing playbooks.

It’s also critical to incorporate several key processes into the DevSecOps model:

• Regular and iterative code analysis
• Streamlined change management
• Maintaining consistent and continuous compliance (e.g. with GDPR)
• Threat investigation and response
• Vulnerability assessment and patching
• Secure coding training