What is DevSecOps?

Introduction to DevSecOps

DevSecOps (short for development, security, and operations) is an approach to secure software development that integrates security practices throughout the entire software development lifecycle. It emphasizes collaboration and communication between development teams, security teams, and operations teams to ensure that security is built into every stage of the software development process.

Within the context of software development pipelines, DevSecOps aims to “shift security left”, which essentially means as early as possible in the development process. It involves integrating security practices and tools into the development pipeline from the very beginning. By doing so, security becomes an integral part of the software development process rather than a late-stage add-on.

This approach makes it significantly easier for organizations to identify and resolve security vulnerabilities early on, and meet regulatory obligations. It's also important to note that DevSecOps is built upon a culture of collaboration and shared responsibility. It breaks down silos and encourages cross-functional teams to work together towards a common goal of building more secure applications at high velocity.

Why Is DevSecOps Critical?

There are many attack vectors used to access an organization’s data and digital assets, but a common tactic is to exploit vulnerabilities in software applications. These types of breaches are costly, time consuming, and depending on the severity, damaging to an organization's reputation and brand. The DevSecOps approach to building and deploying modern applications reduces the risk of deploying vulnerable or misconfigured software that attackers can exploit.

Core Principles of DevSecOps

Make security a shared responsibility

The importance of culture for successful DevSecOps shouldn’t be underestimated, and it starts with accepting security as a priority for all stakeholders. Every single member of an organization has an impact on its overall security posture– not just those with ‘security’ in their titles. At its core, DevSecOps is a culture of shared responsibility, and operating with a common security-oriented mindset determines how well DevSecOps processes fit into place and can drive better decision making when choosing DevOps platforms, tooling, and individual security solutions.

Mindsets don’t change overnight, but alignment and a sense of security accountability can be achieved through the following:

• Commitment to regular internal security training tailored to DevSecOps that includes developers, DevOps engineers, and security engineers. Skills gaps and needs shouldn’t be underestimated.
• Developer adoption of secure coding methodologies and resources
• Security engineering contributes to application and environment architecture, design reviews. It’s always easier to identify and fix security issues early in the software development lifecycle.

Break down functional silos and collaborate continuously

Since DevSecOps is a result of the confluence of software development, IT operations, and security, breaking down silos and actively collaborating on a continuous basis is critical for success. Typically, DevOps-centric organizations operating without any formal DevSecOps framework see security entering the picture like an unwelcome party crasher. Process changes or tooling that is suddenly imposed (as opposed to collaboratively chosen and instantiated) invariably results in development pipeline friction and unnecessary toil for developers. A common scenario involves security mandating additional application security checks without consideration for their placement within the pipeline, or for how much workload is required to process scanner output and remediate vulnerabilities, which inevitably falls to developers.

Driving collaboration and operating as a cohesive DevSecOps team involves:

• Defining and agreeing upon a set of measurable security objectives
• Involvement from software developers and DevOps teams throughout the evaluation and procurement processes for new security tools
• Ensuring no DevSecOps process has a single functional gatekeeper

Iteratively optimizing tooling choices and security practices for developer productivity and velocity

Shift security information left, not security workload

Broach the subject of DevSecOps and it’s impossible not to mention ‘shift-left’. The shift-left security mantra is so prevalent in current DevSecOps-oriented articles, blogs, and marketing collateral, it’s easy to think that by simply moving security checks further upstream in the software development lifecycle you’ve achieved a working DevSecOps program. The reality is that WHAT you shift left is what makes or breaks your DevSecOps success.

Shift left security is predicated on the proven idea that performing application security tests earlier in software development pipelines (as opposed to just prior to production) results in a better overall chance of catching known code and artifact vulnerabilities and remediating them in a timely manner. However, if developers alone bear the entire burden of running tests, collecting scanner output, and prioritizing vulnerabilities on top of remediating them, the resulting mental load and toil is certain to impact productivity.

DevSecOps Tools and Practices

The DevSecOps toolkit is primarily made up of CI and CD pipelines, application security scanners, and policy-as-code governance enforcement. AI and intelligent automation are key factors in making DevSecOps work successfully.

DevSecOps: Application Security Testing

‍

Software Composition Analysis (SCA)

SCA is a security technology that protects applications against risks that originate from open source software (OSS). SCA solutions identify and manage vulnerabilities within open source libraries and components, in order to meet security & compliance requirements.

‍

SAST (Static Application Security Testing)

SAST is critical for uncovering and eliminating vulnerabilities in proprietary software early in the SDLC, before an application is deployed.

‍

SECRET SCANNING

Secret scanning is the practice of automatically scanning text and files for secrets, such as passwords or API keys.

‍

CONTAINER SCANNING

Container scanning involves comparing the contents of each container to a database of known vulnerabilities. If the scanner determines that a library or other dependency within a container image is subject to a known vulnerability, it will flag the image as insecure.

‍

DAST (Dynamic Application Security Testing)

DAST is used after application deployment to spot issues that manifest at runtime, such as authentication and network configuration flaws.

‍

INFRASTRUCTURE-AS-CODE (IaC) SCANNING

IaC scanning enables the identification of all the variables for which the proper settings are either undefined or are set incorrectly. Scanning IaC involves checking templates, files, and modules and their variables against known policies. 

Key Benefits of DevSecOps

The primary objective of DevSecOps is to deliver more secure software without degrading developer velocity. If DevSecOps is implemented correctly, software-producing organizations will reap the following benefits:

• decrease in application security incidents 
• decrease in time spent on compliance audits
• increase in deployment frequency
• decrease in change failure rate
• decrease in the number of vulnerabilities deployed to production 
• decrease in lead time to zero day vulnerability remediation

‍

Want to learn more about how Harness Security Testing Orchestration helps you build a world-class DevSecOps practice? Visit the STO product page or sign up for a demo with one of our experts!