You've heard of DevOps, but what is DevSecOps?

TLDR: A quick dive into DevOps, the problem with traditional Application Security, and how DevSecOps is being adopted to rule out tradional application security.

A Bit on DevOps

To start, let’s make sure we’re on the same page with the term DevOps. As Atlassian defines it, DevOps is a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. Looking at the image above, you can see the important components of the DevOps flow.

Knowing the foundation of DevOps, how does security integrate with these practices? Traditionally, this is where application security came into play. Application Security is the process of making applications more secure within the development phase. In other words, when the development team finished coding, in came the application security engineers. Let’s think about this process a little bit through an example.

The Problem

Imagine you work for a company that needs to release a product by March 13th. The development team finishes coding the product on March 9th, a Friday. The business side of the company is pumped and excited because in their eyes everything is good to go for the release in 4 days. However, the testers and security team are almost ready to quit. For them, they now have 4 days to have things tested and any bugs, fixed. Oh, and let’s not forget, it’s the weekend. So, going back to the chaos, what happens if the security team finds 5 critical blocking bugs in the code? Yep, you guessed it, the company still releases the software and says they will fix the bugs in a maintenance release. We already know what could happen if those vulnerabilities are exploited, so let’s not even go there.

The Solution

The bigger question here and the main point of this blog is, how can we make this process better? Introducing the term DevSecOps. With the problems described above impacting companies across the world, engineers had to find a solution. In short, DevSecOps is the process of integrating security within the DevOps process. The key part of this definition is “integrating security within the DevOps process.” In other words, you can’t have DevSecOps without DevOps.

How does this fix the problem?

Instead of the “pass it over the wall” approach, security should be integrated in every stage of the SDLC. Below are a few ways to integrate security early and often:

• While developers are coding, have them use IDE security tools and security browser addons.
• Whenever code is checked in to a branch, a build is kicked off and this is where security tools are run to scan the checked in code. While checking the code for security vulnerabilities, this is also a great time to check your OSS for vulnerabilities and license compliance.
• When an application has been deployed to a QA slot, testing slot, and/or staging slot, automated security tools should be run. Also, this is a great time to check for compliance and make sure everything is up to standard.
• When your application has been deployed to production, security should still be going on at this stage. This stage looks a little different though. While in production, you should have some type of logging and alerting implemented. For example, you can put logging around application users entering “admin” as the username when logging in. Or, having logic in place that alerts you when SQL Injection has occurred and so on.

Conclusion

Traditional application security is slow and very waterfall-ish. To fix this, with the help of DevOps, introduce DevSecOps to your engineering department and reap the benefits of having integrated security throughout the SDLC.

Thank you so much for reading along. Feel free to leave feedback/comments down below!