By Gologic with the collaboration of Alexandre Couëdelo.
We may approach a world where DevOps is becoming the norm. Still, with the significant cases that have surfaced recently, there is something missing in our approach to collaboration between development and operations. Integrate security has become a top priority for companies, and the “DevSecOps” movement is one of the best ways to achieve it by bringing together developers (Dev), Security experts (Sec), and IT operation (Ops).
The DevSecOps space is new and could feel very confusing. It’s hard to know where to start or the critical security components. You spend hours reading about tools but can’t put all the pieces together to ensure the security of your company and its users. Let us help you get started with this article series on establishing a DevSecOps strategy.
DevSecOps and security, in general, is a vast topic touching every aspect of software delivery, so many articles are expected on this topic.
In the first article, we will only cover the tip of the iceberg by explaining:
—Why do we need DevSecOps?
—What is DevSecOps methodology?
—How does automation play into DevSecOps?
Why do we need DevSecOps?
Let’s start with a step back. To understand DevSecOps practices, you need to understand what IT security is. Two things are essential to understand about IT security. The first is that there will never be a perfectly secure system. The second is that by investing in security, you are only reducing the risk and the blast radius. Investing in security practices is more like buying an insurance policy for your car.
To reduce risks, security experts used to have more of a validation and audit role where they approve and validate infrastructure decisions and implementations. However, the rise of agile and DevOps have made this model less sustainable. In short, DevSecOps is about reconciling security and short development cycle time.
What is DevSecOps methodology?
DevSecOps is the need to balance two priorities: fast and reliable delivery of software to production (DevOps) and security (Sec). Many organizations adopting the DevOps methodology are probably guilty of focusing too much on continuous delivery and forgetting about security. To fix that, organizations are increasingly looking for ways to automate many of their security tasks to avoid human error.
As a result, the main DevSecOps advantages aims to equip DevOps teams with a full-fledged cyber warfare capability that protects the companies against digital attacks by deploying automation tools on all at-risk components: endpoints, networks, databases, applications, etc. The goal is to make security easier for development team, QA engineers, and Ops teams members alike.
However, the mistake would be to think that DevSecOps is only about tools. While tools are the attractive part of the subject, it is also implementing governance policies such as access and permission on an organizational level, building security policies and best practices for developers, and defining a way to measure the results.
How does automation play into DevSecOps?
In the same way that DevOps adopted shift-left testing to improve software delivery, we need to shift security left and automate the “delivery” of our security assessments. This means security checks should run as often as possible and early in the development process and complete one of the DevOps mottos “fail fast.”
This means ensuring that all stages in the DevSecOps process include risk assessment and threat to model from a security perspective to build better defenses. Security checks should be integrated around elements of the DevOps loop.
DevSecOps relies heavily on having well-established CI\CD tooling because it would be much easier for you to add security checks between or in parallel to existing steps. Security is not a one-man job, and roles and responsibilities need to be rethought to make security everyone’s concerns.
DevSecOps roles fit into a DevOps culture and organization because security responsibilities are distributed to positions already existing. Planning driven by BA and PO should include threat analysis and account for security initiatives in the planning. Developers should be sensitive to secure code best practices and scan their code for vulnerabilities, DevOps administrators in charge of monitoring platforms include security monitoring and alerting.
Where to go Next?
Hopefully, you have a better idea of why you need to evolve from DevOps to DevSecOps.
The security silo needs to be broken down and fully integrated into the DevOps methodology, and DevSecOps is the coined name to push the idea forward. Luckily, much progress has been made in automating the delivery process, so adding security can be seen as adding a few extra steps to your pipeline.
However, implement DevSecOps strategy can be pretty daunting, as it requires a good understanding of the threat you are facing; security knowledge to select the DevSecOps tools to integrate into your pipeline, and of course, some ground works to add those tools to your infrastructure and pipelines.
In the following article, we will lay the foundation by talking about the essential DevSecOps tools to protect you from security incidents.
By Gologic with the collaboration of Alexandre Couëdelo
https://termly.io/resources/articles/biggest-data-breaches/ (le nombre important)
https://www.bmc.com/blogs/what-is-shift-left-shift-left-testing-explained/ (shift-left testing)