DevSecOps: What’s It About?
DevSecOps –Introducing The New Kid On The Block.
DevSecOps occupies the buzzword throne in the world of cybersecurity and promises to stay there for the long run. Simply put, DevSecOps stands for three words: Development, Security and Operations – its point is to incorporate security decisions and actions at the same scale and speed as development and operations processes.
DevSecOps is a framework that emphasises the needed for cultural and technical adaptations that will allow cloud services to remain competitive without disregarding safety.
The IT infrastructure landscape has undergone exponential changes over the past decade. Shifting to agile cloud computing platforms and dynamic applications has allowed development operations to accelerate. But security used to be one stage in the process – one which often delayed the release date of products and was the concern of an isolated group of people.
While DevOps has stormed ahead in terms of speed, scale and functionality, security didn’t quite follow the pace. DevSecOps aims to fix this. It stems from the realisation that compromising security isn’t an answer to keeping up with competitiveness. Faster is good, but faster and safer is much better. As Jamie Tischart, CTO Cloud/SaaS at IntelSecurity, puts it:
“[the approach towards security] changed when we started delivering multi-tenant cloud offerings where any vulnerability could put millions of customers and the reputation of our companies at risk. Yet, we still held onto some archaic practices. We were slow to integrate secure coding and testing practices into our everyday engineering execution. We continued to leave security activities until the end of cycles and we left many vulnerabilities unattended because it slowed the release. This was until, of course, someone exploited the vulnerability and then everyone dropped everything and all hell broke loose.”
So now the aim with DevSecOps is to automate core security tasks and embed security controls and processes early in the DevOps workflow (rather than being bolted at the end). This requires a cultural change, new mindsets and processes, and cross-functional teams.
The role of developers, for example, is shifting from specialized to multidisciplinary – they need to understand how things run in production earlier in the cycle and are now responsible for meeting operational and security requirements when coding.
Additionally, DevSecOps highlights the need to invite security professionals from the start of DevOps initiatives to share feedback and insights on known threats with all areas within the organisation. In 2017, a DigiCert survey reported that 98% of American enterprises had started doing that, and 49% of those who had completed their efforts were already noticing improvements to both development agility and information security. These numbers were helpful to dismiss the common belief that security measures slow everything down.
But DevOps and DevSecOps’ differing operating models pose concerns over governance structures and a supposed lack of skills and solutions to their integration. However, security experts such as Mike Bursell, Chief Security Architect at Red Hat, argue that Sec and DevOps shouldn’t even be regarded as separate things in the first place: “if you do DevOps properly, it has to have security in it. Understanding how that works is DevSecOps.”
Meanwhile, Tischart has an interesting proposal regarding this terminology: take it literally. DevOpsSec implies that security comes at the end of the process – which is better than not at all, but still may expose vulnerabilities that could have been eliminated before hand.
SecDevOps implies security activities occurring before any development or operations. The principle is well intended, but the practicality of this is highly debatable.
And DevSecOps implies completing development, then reviewing and automating for security, then deploying and operating. This hopes to catch the security concerns before they are deployed to the world but are not as incorporated into the overall process as SecDevOps.
Maybe, he proposes, what we need is SecDevSecOpsSec.
Written by Paula Magal for CS4CA USA, where DevSecOps will be addressed by some of the US’s leading cyber security professionals collaborating to safeguard America’s critical industries. Subscribe to the summit’s LinkedIn Showcase Page and to its Free Newsletters for more content like this.