Secure Software Development: From DevOps to DevSecOps

Secure Software Development: From DevOps to DevSecOps
share on
by Sanjeev Kapoor 12 Nov 2019

Modern software development is based on DevOps practices, which combine software development with IT operations as a means of shortening development cycles, boosting continuous software delivery and ensuring high software quality. DevOps embraces agile software engineering principles and includes continuous integration and testing activities as a means of enabling frequent integration and delivery. Many research reports show that IT leaders integrate and delivery software much more often than the average software companies, which is the reason why a proliferating number of enterprises rides the wave of DevOps methodologies.

One of the flaws of DevOps processes in practice is that security issues are often overlooked. In the past, it was common practice for software development teams to deal with security challenges at the last stages of development. This practice is however totally incompatible with the DevOps paradigm where development cycles are very frequent and the complete software products must always be available. Despite this incompatibility, software enterprises are still disposing with outdates security practices, which are a set back to effective DevOps activities. To make things worse, the number and complexity of cybersecurity attacks are growing rapidly, as evident in recent notorious security incidents such as the WannaCry ransomware and the Mirai Denial of Service attack. In this context, there is a need for embracing security practices across all DevOps cycles in an end-to-end fashion. This shift in the way security practices are integrated with DevOps is recently coined DevSecOps.

Understanding DevSecOps

DevSecOps is about integrating security practices within DevOps activities. It puts emphasis on security as a shared responsibility between all DevOps stakeholders, including teams involved in development and operations, as well as release engineers and security teams. DevSecOps deals with the challenging goal of compromising between code security and speed of delivery, which are typically two conflicting targets. As part of DevSecOps these two conflicting activities should be balanced and integrated in a common software development discipline. This balancing involves a paradigm shift in code security: Software security issues are handled proactively as part of agile development, rather than reactively when a flaw is discovered or whenever an attack occurs. An effective DevOps process ensures robust, iterative security cycles, without any essential slow down in continuous integration and software delivery.

DevSecOps is an excellent approach to confronting modern security challenges. It enables developers, deployers, security engineers and release engineers to cope with the complexity and scale of contemporary security attacks. As part of DevSecOps, security measures can be deployed and applied at very fine timescales i.e. along with the frequent software delivery cycles. In this way, it is possible to apply latest patches and security policies that can successfully confront recent security vulnerabilities and attacks, including malware, denial of service and ransomware.

Elements of a Successful DevSecOps Implementation

Despite the benefits of the DevSecOps paradigm, its implementation is in its infancy. This is due to that successful implementations require considerable changes in current DevOps practices including:

Successful DevSecOps deployments are set to deliver significant benefits to software development enterprises. These benefits include greater speed and flexibility for security teams, as well as the ability to rapidly respond to emerging security threats. Moreover, DevSecOps promotes a collaboration culture between security teams and other DevOps stakeholders, which contributes to timely identification of code vulnerabilities and to the deployment of effective remedies. However, the transition from DevOps and DevSecOps cannot be taken for granted. It is still a challenging task that requires the engagement of all stakeholders, along with significant investments in complementary assets like training and new code security workflows. Most important, it requires commitment from the business management, which should see DevSecOps as a significant step to more secure products and services in an era where security concerns are on the rise.

Recent Posts

get in touch

We're here to help!

Terms of use
Privacy Policy
Cookie Policy
Site Map
2019 IT Exchange, Inc