Businesses are increasingly embracing modern software-engineering practices pioneered by tech-giants as digital technologies transform industry after industry. Organizations can now test, refine, and deliver new products and services more quickly and frequently than ever before thanks to Agile, DevOps, and other methodologies. However, the speed and frequency of releases may conflict with existing security and compliance procedures. How can businesses handle this conflict?
DevSecOps, a way for integrating security into agile and DevOps initiatives across the whole product life cycle, appears to be the answer. DevSecOps (literally, Development, Security, and Operations) delivers huge benefits when properly applied.
Without jeopardising their risk posture, companies can raise the frequency of software releases from quarterly to weekly, or even daily. They can reduce mean time to a fraction of what it is now. They can cut mean time to remediate vulnerabilities from weeks or months to hours as well as eliminate delays, cost overruns, product defects, and vulnerabilities. Last, but not least, getting security and compliance right from the outset is imperative as companies’ growing dependence on digital technologies makes them more vulnerable to cyberattack, especially in the wake of the uncertainty and confusion wrought by the coronavirus pandemic.
In our experience, the companies that are most successful at extracting the full value from DevSecOps commit to managing technology differently. They have an integrated operating model made up of teams of people—including those from security and compliance—with the full range of necessary capabilities, make practical use of automation, develop secure modular services that are easy to use, and conceive of and build digital products that are secure by design.
What is DevSecOps?
Pioneered by digital-native companies, DevSecOps is based on the principle of integrating development, security, infrastructure, and operations at every stage in a product’s life cycle, from planning and design to ongoing use and support (exhibit). This enables engineers to tackle security and reliability issues more quickly and effectively, making organizations more agile and their digital products and services more secure and reliable. Security, reliability, and compliance considerations are built into every agile sprint rather than being handled separately or left until the end of the development process.
What to choose : DevOps or DevSecOps ?
Adopting a DevSecOps approach has implications for each stage of the product life cycle:
From the inception of a new product, teams are aware of their security and reliability responsibilities and trained to handle them. For significant efforts, teams start by quickly modeling threats and risks and then identifying and prioritizing backlog items needed to make the product secure, reliable, and compliant. Where possible, teams take advantage of existing architectural designs that have been developed in collaboration with security and reliability experts, thereby ensuring that best practices are observed as well as speeding up planning and design.
To improve code quality, developers constantly develop and update their knowledge of secure and resilient coding practices. They take full advantage of reusable coding patterns, components, and microservices to quickly build the functionality and services needed to meet common security and resiliency requirements for encryption, authentication, availability, and observability.
Instead of having a specialist group scrutinize a product for security vulnerabilities and resiliency issues once it emerges from months of development, teams review code as often as every two weeks as part of regular agile sprints, using both automated and manual checks. After automated code-analysis tools such as SonarQube and Fortify have looked for known vulnerabilities and issues, senior developers conduct peer reviews to discuss the results and ensure the software meets appropriate standards.
Engineers create automated security tests to be run alongside automated functional and performance tests. This not only ensures that testing is consistent and efficient but also makes security requirements explicit, so that developers don’t waste time puzzling over how to satisfy ill-defined policies laid down by separate groups. Common security tests, such as penetration tests that look for security holes in systems, are conducted automatically as part of every sprint and release cycle.
Code is delivered to production hosting environments, not through manual processes itemized in checklists, but via well-engineered automated processes that ensure the right software is built and that it is deployed securely and reliably. In addition, best-practice companies have secure production hosting environments that can be rapidly invoked through application programming interfaces (APIs), eliminating wait times and reducing risk.
Once software is in production, automated processes—including real-time monitoring, host- and network-intrusion detection, and compliance validation and evidence attestation—are used to increase efficiency and detect vulnerabilities. If defects or vulnerabilities are discovered, resolutions are identified, prioritized, and tracked to make sure product reliability and security are constantly improved.
Also read: DevSecOps Vs DevOps – Which Is Better?
Organization and talent: Integrated cross-functional teams
When organizations struggle with the tensions between being agile and maintaining security, reliability, and compliance, it’s often because the skills and accountabilities for developing, operating, and securing products and validating compliance are split between different groups. The answer is to break down these silos by setting up integrated agile teams charged with solving all the requirements of the products in their scope, regardless of any functional, security, reliability, or compliance issues they may pose. These teams should be staffed not with specialists but with well-rounded “full-stack” engineers who can work across disciplines and pick up new skills quickly. Every team member must be responsible for the security and reliability of the code they create, whether it’s for customer-facing products or internal shared services.