For the past several years, DevOps has been the go-to method for fast software development lifecycles. But just like testing is an integral part of app development, security is an integral part as well. That's why the term DevSecOps was coined.
In today’s landscape, apps and services, such as containers and microservices, must be secured since sensitive data is or will be sent through them.
Any seasoned developer or IT person knows that security has always been a part of DevOps mindset, but DevOps has never really been advertised as a methodology that aligns with information security. That is the purpose of DevSecOps, since it incorporates security into the DevOps way of thinking, without making security an afterthought.
To discuss exactly how security is infused into DevOps culture and methodology, I had the chance to chat with Joseph DePlato who is the CTO + Co-Founder of data security firm Bluestone Analytics. DePlato is a professional hacker who has served as a Senior Cyber Security Consultant for companies, such as BP, American Express, Home Depot, and Palantir.
What is DevSecOps?
When we think of DevOps, we think of continuous delivery. DevOps is an agile development model and methodology with the sole purpose of streamlining how IT and dev teams interact. However, when we think of DevOps, we should also consider how dev and IT operations teams interact with software testing, or in the case of DevSecOps, security teams.
DevSecOps is the infusion of security into the Agile framework. Rather than having security be a stop gap between software releases, the idea is to have security be a shared responsibility for all members of the software development lifecycle. This includes increased communication between developers, testers, security teams, and operations.
When teams originally grasped the idea of DevOps, security wasn't the first thing that came to mind. That's changing.
DePlato explains, "A couple of things have happened in the last couple of year. Number one, a couple of massive breaches that have occurred...Equifax comes to mind. As well as a couple of compliance frameworks, policy frameworks that came out, such as the EU's GDPR."
Organizations were on the defensive and security was now recognized to be just as important as other aspects of the software development process. That's why the DevSecOps was coined. There needed to be a way to harness the efficiency of an agile framework with information security in mind.
Security is a Shared Responsibility
So, who exactly is responsible for security? I'm sure you've heard it before, but security is a shared responsibility. IT teams train employees this very sentiment because they know that they can't protect everyone from phishing attacks. The same goes for the more technical side of business. Security teams can speak the gospel on security practices and implement protocols, but at the end of the day, development teams need to consider security in all the code they write.
"Ideally, it's a shared responsibility. So I believe the main goals of any security team is to automate as much as they can, so that it can be integrated into the new development lifecycle," says DePlato.
DePlato goes on to explain some examples of automated process of security procedures. For example, 3rd party scanners can be used to analyze new builds and new code each day.
"We recently helped an org integrate a 3rd party scanner into their cycle. So what happens now is, once per day, if there is a new build or new code changes, the code goes through both a static and dynamic analysis. The output of which the tickets are generated and sent back into their system and added to their current sprint," DePlato explains.
The help of automation is key, especially when software development needs to be continuous and quick as is predicated in the Agile and DevOps process.
Security is just another cog in the wheel that is agile development. But change doesn't have to be painful for IT, security, or dev teams. With the right mindset and with help from automation, more secure software and at the end of the day a more secure world can be achieved.