Introducing DevSecOps Bookmark has been added
Shifting security left to efficiently develop secure software
Embedding security in software development is changing. With the rise of DevOps, an holistic approach on people, process, technology and governance is required to integrate security, turning DevOps into DevSecOps.
Adopting DevOps for efficient development
DevOps combines the two concepts of software development (Dev) and operations (Ops). These two concepts used to be executed by different teams in their own silos where Development is responsible for creating the product and Operations maintains the product, ensuring it runs as intended. DevOps is the philosophy of breaking down these silos and integrate the efforts of the two teams in one production pipeline. Organizations are rapidly adopting DevOps with the help of processes and tooling aimed to improve speed and efficiency.
The reason for this soar in popularity is due to several benefits. DevOps allows for shorter development cycles resulting in faster innovation, a reduction in integration and deployment failures, an improvement in communication and cooperation between development and operation teams throughout the development process, and an overall reduction in costs.
The challenge of security in DevOps
The classical security approach of performing security tests on delivered products poses a challenge for DevOps as delivery is broken down into small increments that are deployed early and often. The amount of incremental improvements of the product throughout the development process makes it unfeasible for the security team to perform risk assessments and penetration test and resolve the findings for every increment before go live. Security would be a bottleneck in the continuous development hindering innovation and short time to market. How can organizations make sure the security approach fits the DevOps way of working?
Contemporary society expects all software to be secure. DevOps is therefore not only about software development and operations. Organizations should integrate security in DevOps to keep pace with the business demands of improved scale and speed. Leaving security is not feasible anymore. Security should speed up in order to keep up with the demands of operations.
Integrating security in every phase
Instead of sustaining security as an afterthought, security tools, activities and processes should be tightly integrated throughout the software development lifecycle. The integration of security is consistent with the philosophy of DevOps, breaking down isolated silos in the software development lifecycle joining the efforts to efficiently create new software. This will result in effectively considering security in every step of the development cycle and uncovering vulnerabilities before they arise. Additionally, the DevOps pipeline deploys technology to automate part of the development and testing efforts, allowing you to also automate core security tasks and controls early in the process. Deploying this technology enable continuous monitoring and remediation of identified security defects across the application lifecycle including development and maintenance.
When security is integrated in DevOps, we commonly refer to this as DevSecOps.
An effective approach to include security in DevOps is to “shift security left” in the DevOps pipeline. Integrating security controls, tools, processes in an automated fashion results in a DevSecOps pipeline that automatically scans all new code for potential vulnerabilities leaving time to focus on developing value adding functionalities.
DevSecOps is not only about deploying security tooling, but it requires knowledge about using those tools in the right way and bringing about a culture in which everyone feels responsible for security. What we see is that a transformation of DevOps to DevSecOps is achieved through the pillars of Governance, People, Process and Technology. These four pillars are all essential to consider in your transformation journey as they are interconnected and will build on each other’s strengths. Where governance relates to establishing a fitting security framework with roles and responsibilities for your organization, it is your people who will need to change their way of working, become aware of the benefits and most likely be trained in new skills. Aside from the new roles, your employees will work new technology that will increase the effectiveness and efficiency of the development pipeline, supported by lean processes to glue everything together.
Several organizations are already deploying DevSecOps, and it is not without a reason. Society expects organizations to release innovative and secure products created in a responsible manner. If you are not on board yet, get ready to transform your DevOps process and quickly introduce security as an intertwined component throughout the cycle. Make sure your organization can keep up with the demand of the business while being in control of the security of your products. Get ready to implement DevSecOps in your organization through the pillars of Governance, People, Process and Technology.
This blog marks the start of a blog series devoted to DevSecOps. In the upcoming weeks we will post another five blogs in line with the four pillars of DevSecOps: Governance, People, Process and Technology, closing with a concluding blog on the general benefits of DevSecOps. With these blogs we want to provide you with our point of view on DevSecOps, explain its impact in more detail and create an understanding on how to successfully transform your organization by ‘shifting security left’.
Our next blog will focus on Governance; what must be considered when setting up a DevSecOps governance and how does this impact your organization?
For more information about DevSecOps, please contact Jelle Niemantsverdriet, Gijs Zijderveld or Tom Zijderhand via the contact details below.