For years, the software industry has been buzzing with Agile and DevOps, which have started gaining ground even in the conservative field of regulated safety-critical products. As digitalization turns software product quality and security into a vital set of concerns across industries, there’s a growing effort to tie in Agile and DevOps processes with security procedures. Read on for our introduction to DevSecOps and its best practices!
Agile and DevOps software delivery
Agile’s iterative, collaboration-based approach has conquered the world of software. DevOps was a natural next step in the evolution of this approach, breaking down the walls between development and operations to enable the delivery of more robust products.
Related reading: Intland's 2-part post series on DevOps
Security, however, was often seen as a hindrance to delivering products as fast as possible. Developers placed a higher value on being faster than the competition in putting products on the market that customers wanted. Like in the old Waterfall ways, security testing was often just bolted on at the end of the lifecycle.
In order for security to keep pace in an increasingly digital world, there was a need for change. DevOps practitioners started experimenting with building security into their products (and the development lifecycles of those products), and DevSecOps was born.
What DevSecOps essentially means is that security protocols are baked into processes of product delivery. It extends the Agile mentality of sharing visibility, feedback, and insights to issues of software security, and integrates IT security into the product’s entire lifecycle.
Why do DevSecOps?
The benefits of “shifting security left in the lifecycle” (or more simply: coding with security in mind) are many:
- Once you’re able to detect and fix issues early on in the process of delivery, not only does that save you costs – it also reduces delivery times. In other words: while you might feel like applying security processes across delivery slows your teams down at first, you’ll enjoy increased speeds of product delivery in the long run.
- An increased ability to respond to changes and arising security issues mean more agility, and enhanced overall security. In a time when high-profile IT security scandals abound, this can help avoid bad publicity.
- Adopting a DevSecOps approach helps foster the open culture of transparency that is the backbone of Agile. While a huge challenge to implement, this could help make your organization more adept at Agile, with better collaboration and communication across teams.
- Constant and iterative improvements can lead to improved quality culture, and the “standardization” of secure design patterns, leading to an enhanced level of general product robustness across your product line.
- As DevSecOps requires a lot of automated processes, it actually helps free up development and testing resources once it has been successfully implemented.
DevSecOps best practices
Blending security and DevOps is easier said than done. Successful DevSecOps practitioners have distilled certain best practices that can help you get started.
First and foremost, perhaps even more than in “simple” DevOps, automation is key. You can’t really bake vulnerability testing and verification into your CI/CD pipeline if team members need to do it all manually. Smart ways to automate are vital – but smart is a keyword here!
In order to keep things in motion, make sure you only do security testing on recently added code. Automate both static and dynamic security testing, embedding these into your Continuous Integration/Delivery lifecycle in a principled way. For instance, you could automate nightly testing sessions to check for issues introduced in the day's coding output.
You’ll also need a way to prioritize issues, and fix the ones near the top of your list first. Trying to mitigate all vulnerabilities at once won’t help much in keeping up your velocity, but this way, you can keep things in check and always have clear insights on your products’ current level of security.
Manage containers and microservices like a pro
DevOps (and DevSecOps) is basically built for these forward-looking technologies, so make sure you take advantage of microservices and containers to embed DevSecOps in your CI/CD pipeline.
RedHat warns you to integrate security scanners in your process, encrypt data, and (even with automated security testing) to keep your containers isolated. All configuration activities (both system and service) should also be automated to avoid manual error.
Check your code dependencies and standardize
DevOps is inherently connected to open-source – but open-source could also mean security vulnerabilities. Mitigate risks by standardizing your environment, controlling access, and conducting dependency checks looking for known vulnerabilities resulting from your use of any open-source solutions.
Provide your developers with DevSecOps training and infrastructure
Simply instructing your “old” development team to do DevSecOps from the next morning on probably isn’t a winning strategy. Secure coding isn’t a skill we’re born with. Understand that the topic of security has for long been somewhat pushed into the background, and your developers may need some training to get up to speed with the latest security procedures and tools.
Tooling is another important questions: as DevSecOps is still an evolving discipline, so you’ll need to keep an eye out for platforms and tools that could contribute to the security of your products.
Don’t let the investment that training and tooling involve put you off: DevSecOps does seem to be the way forward, and the earlier you start to build security into your development lifecycle, the better.