What is DevSecOps?
DevSecOps is a term that underlines the significance of prudent information security practices in the quest for continuous delivery.
According to Gartner, “DevSecOps is the integration of security and compliance testing into emerging agile IT and DevOps development pipelines as seamlessly and transparently as possible, ideally without reducing the agility or speed of developers or requiring them to leave their development environment. Gartner Hype Cycle for Application Security, 2020 report has identified DevSecOps as the only application security product category with a benefit rating of “transformational,” a rating that is defined as enabling “new ways of doing business across industries that will result in major shifts in industry dynamics.
Security is an interloper in most organizations or in other words security is in a silo, like how the operations team was at the start of the DevOps movement. One of the reasons security worked itself into being in a silo is that the current way of functioning of the security team was born out of the waterfall methodology for software development wherein the security team will have a chance to review the project only just before it goes to production. All too often, security testing, goes out of the window to keep the release and ‘time to market’ schedules of the product or application.
This not-so-virtuous cycle of disregarding security challenges and then pushing them to later development cycles months or even years later causes a palpable tension. Security finds themselves in a situation where they must block releases and argue to have bugs fixed.
Another essential aspect to the current role of security is compliance, and in many organizations, security engineers have been tasked with the passing of the compliance standard for the organization that takes away from the day-to-day responsibilities of security engineering work. This moves security away from providing actual security of the products and services the company provides, which is where the value is created.
Why is DevSecOps important?
It is no secret that an organization’s security posture improves dramatically when security is completely integrated into the value stream. DevOps when it was started, did not explicitly include security as a major concern and it was meant for development and operations. But DevSecOps has emerged as a popular label that avoids any risk of security being an afterthought. The security community has been influential in progressing DevOps thinking beyond its development and operations roots. The Open Web Application Security Project’s (OWASP) top 10 list of software vulnerabilities has become a go-to tool for fostering collaboration between development, operations, and security teams.
DevSecOps helps in continuously improving security and adding value by positively impacting quality. DevSecOps also helps the organization to increase the deployment success rate, reduce mean time to resolve incidents, and reduce the number of open security defects that would greatly help in improving the time to market because of the increased production deployment frequency and greater speed of deployment. Enhanced compliance feedback, reduction in open compliance findings are some other advantages.
By integrating development, security, and operations, DevSecOps fosters a culture of openness and transparency from the earliest stages of development. DevSecOps fulfils the ‘secure by design’ principle by using automated security review of code and automated application security testing. Given the dependence of applications to keep operations running; security in the development process cannot be an afterthought. Application security must always speed up to keep pace with operations.
What are the challenges in DevSecOps?
When DevOps started, it was believed that the operations was going to go away as a discipline as developers took all the responsibility away from the operations team which at present is farther from the truth.
Custom code should be scanned for security vulnerabilities in development. However, long-established static application security testing (SAST) and dynamic application security testing (DAST) are too heavyweight, complicated, and need to be run by a security professional. This approach will not work and will not scale for DevSecOps especially when the security professional support is required to run them. If SAST and DAST solutions are used, we would require vendors to support differential scans that test only the modified code and downstream-impacted modules.
It is important to acknowledge and accept that having zero vulnerabilities is not possible. It is also imperative to lessen false positives (albeit with a risk of higher false negatives) and trim the output of AST tools and services to focus developers first on the highest severity, highest confidence vulnerabilities.
DevSecOps call for a different engineering career pathway that encourages people to increasingly grow and combine software development, operations, and security skills. The magnitude of the mindset and cultural changes and reskilling challenges are substantial for the DevSecOps resources. Also, the maturity of the teams could be diverse in terms of specific capabilities and this should be addressed by designing a tailored transformation journey for each of the teams, based on a maturity assessment across these capabilities, such as continuous integration and delivery (CI/CD), automation, and security.
How do you start with DevSecOps?
Leading security vendors are progressing their solutions to become more programmable, laying the groundwork for higher levels of automation and orchestration from security testing into deployment. DevOps often combined with the container/Kubernetes adoption and programmatic cloud infrastructure is being driven by developers in the name of speed and responsiveness. Security must be a part of this shift, but in a way that respects the collaborative nature of DevOps.
The objective of DevSecOps should be to come up with a set of automated tests that probe and check security configurations and runtime system behavior for security features that will execute every time the system is built and every time it is deployed. It should securely assimilate the security tools and processes throughout the DevOps pipeline and automate core security tasks by embedding security controls early in the software development lifecycle.
For instance, Arachni which is an open-source web scanner with a command-line component is an excellent web application scanner. It covers cross-site scripting, SQL injection, XML external entity, and many more. Components of Arachni can be included in the security pipeline to automate the security testing along with the CI/CD pipeline. Another example is Retire.js which can be added to the CI system to provide alerts on the usage of vulnerable versions of JQuery or any other JavaScript library that might have bundled into the product.
Conclusion
Organizations must be clear about the objectives that they would want to achieve through DevSecOps. The question, whether you are optimizing for cost, speed, or productivity should be clearly answered before you embark on the DevSecOps. Closely involve the business and make sure there is a good understanding of the benefits as well as the needed investments, which often come in the form of team capacity and competence with the changes in the delivery model.
The security team needs to embrace the role of an enabler to embed security in DevOps. Instead of being the department or a team that blocks the release, be the department that helps everyone go faster and assert security and quality at the same time. One of the things that would always work is to bring the security team together and ask, how can we help the overall software development pipeline go faster and be safer?
When starting out automating security testing, it is highly recommended that people start slow and small, it’s important to realize that security testing is a process. Like any cultural change, there needs to be an environment of shared understanding, created between those involved. Knowing that security is not trying to be a blocker, but is instead trying to be an enabler, goes towards that goal.
