TLDR: A quick dive into DevOps, the problem with traditional Application Security, and how DevSecOps is being adopted to rule out tradional application security.
To start, let’s make sure we’re on the same page with the term DevOps. As Atlassian defines it, DevOps is a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. Looking at the image above, you can see the important components of the DevOps flow.
Knowing the foundation of DevOps, how does security integrate with these practices? Traditionally, this is where application security came into play. Application Security is the process of making applications more secure within the development phase. In other words, when the development team finished coding, in came the application security engineers. Let’s think about this process a little bit through an example.
Imagine you work for a company that needs to release a product by March 13th. The development team finishes coding the product on March 9th, a Friday. The business side of the company is pumped and excited because in their eyes everything is good to go for the release in 4 days. However, the testers and security team are almost ready to quit. For them, they now have 4 days to have things tested and any bugs, fixed. Oh, and let’s not forget, it’s the weekend. So, going back to the chaos, what happens if the security team finds 5 critical blocking bugs in the code? Yep, you guessed it, the company still releases the software and says they will fix the bugs in a maintenance release. We already know what could happen if those vulnerabilities are exploited, so let’s not even go there.
The bigger question here and the main point of this blog is, how can we make this process better? Introducing the term DevSecOps. With the problems described above impacting companies across the world, engineers had to find a solution. In short, DevSecOps is the process of integrating security within the DevOps process. The key part of this definition is “integrating security within the DevOps process.” In other words, you can’t have DevSecOps without DevOps.
Instead of the “pass it over the wall” approach, security should be integrated in every stage of the SDLC. Below are a few ways to integrate security early and often:
Traditional application security is slow and very waterfall-ish. To fix this, with the help of DevOps, introduce DevSecOps to your engineering department and reap the benefits of having integrated security throughout the SDLC.
Thank you so much for reading along. Feel free to leave feedback/comments down below!