Secure Software Development: From DevOps to DevSecOps

Modern software development is based on DevOps practices, which combine software development with IT operations as a means of shortening development cycles, boosting continuous software delivery and ensuring high software quality. DevOps embraces agile software engineering principles and includes continuous integration and testing activities as a means of enabling frequent integration and delivery. Many research reports show that IT leaders integrate and delivery software much more often than the average software companies, which is the reason why a proliferating number of enterprises rides the wave of DevOps methodologies.

One of the flaws of DevOps processes in practice is that security issues are often overlooked. In the past, it was common practice for software development teams to deal with security challenges at the last stages of development. This practice is however totally incompatible with the DevOps paradigm where development cycles are very frequent and the complete software products must always be available. Despite this incompatibility, software enterprises are still disposing with outdates security practices, which are a set back to effective DevOps activities. To make things worse, the number and complexity of cybersecurity attacks are growing rapidly, as evident in recent notorious security incidents such as the WannaCry ransomware and the Mirai Denial of Service attack. In this context, there is a need for embracing security practices across all DevOps cycles in an end-to-end fashion. This shift in the way security practices are integrated with DevOps is recently coined DevSecOps.

Understanding DevSecOps

DevSecOps is about integrating security practices within DevOps activities. It puts emphasis on security as a shared responsibility between all DevOps stakeholders, including teams involved in development and operations, as well as release engineers and security teams. DevSecOps deals with the challenging goal of compromising between code security and speed of delivery, which are typically two conflicting targets. As part of DevSecOps these two conflicting activities should be balanced and integrated in a common software development discipline. This balancing involves a paradigm shift in code security: Software security issues are handled proactively as part of agile development, rather than reactively when a flaw is discovered or whenever an attack occurs. An effective DevOps process ensures robust, iterative security cycles, without any essential slow down in continuous integration and software delivery.

DevSecOps is an excellent approach to confronting modern security challenges. It enables developers, deployers, security engineers and release engineers to cope with the complexity and scale of contemporary security attacks. As part of DevSecOps, security measures can be deployed and applied at very fine timescales i.e. along with the frequent software delivery cycles. In this way, it is possible to apply latest patches and security policies that can successfully confront recent security vulnerabilities and attacks, including malware, denial of service and ransomware.

Elements of a Successful DevSecOps Implementation

Despite the benefits of the DevSecOps paradigm, its implementation is in its infancy. This is due to that successful implementations require considerable changes in current DevOps practices including:

• Cultural Shift towards increased Security: First and foremost organizations should acknowledge the importance of code security. In the scope of DevSecOps, security practices become a first-class citizen in the software development process. Developers and deployers must learn to prioritize security testing, while giving security activities the same importance that is given to software development and testing. This is a prerequisite for identifying and confronting security threats proactively or even in real time.
• Scalability in Cloud: DevOps deployments take place within a cloud infrastructure in order to benefit from the scalability, capacity and quality of service of cloud computing. This means that the shift to DevSecOps requires deploying tighter security controls in the cloud infrastructure, while doing this at scale.
• Continuous Code analysis: DevSecOps involves frequent and continuous security analysis of software. To this end, teams must deliver code in small chunks and very frequently, since this facilitates code analysis and enables fast and timely identification of vulnerabilities.
• Frequent Monitoring for Regulatory Compliance: Security is closely related to regulatory requirements. DevOps teams must ensure that their software product complies always with regulations like GDPR, rather than performing compliance checks at the final stages of the deployment. To this end, the DevOps infrastructure must be advanced in order to continually gather data and evidence about applicable laws and regulations.
• Proactive Threat investigation: A DevSecOps discipline requires keeping an eye for new threats and vulnerabilities, as a means of identifying them early and remedying them proactively. Therefore, security teams should focus on discovering and disseminating relevant security information to all DevSecOps stakeholders, including developers, deployers and IT administrators.
• Intensive Security training: No DevSecOps project can succeed without properly trained developers, deployers, testing engineers, release engineers and administrators. It’s therefore important that all teams involved in DevSecOps undertake security trainings that will improve their awareness and knowledge on threats, vulnerabilities, attacks, as well as on methods and tools for alleviating them.
• Security Automation: DevOps is largely about automation of software development pipelines. Hence, a transition to DevSecOps requires that this automation is extended in the security domain as well. Security processes like risk assessment, pentesting, vulnerability scanning, and patching should be automated as much as possible. Moreover, they should be integrated within software development and deployment pipelines.

Successful DevSecOps deployments are set to deliver significant benefits to software development enterprises. These benefits include greater speed and flexibility for security teams, as well as the ability to rapidly respond to emerging security threats. Moreover, DevSecOps promotes a collaboration culture between security teams and other DevOps stakeholders, which contributes to timely identification of code vulnerabilities and to the deployment of effective remedies. However, the transition from DevOps and DevSecOps cannot be taken for granted. It is still a challenging task that requires the engagement of all stakeholders, along with significant investments in complementary assets like training and new code security workflows. Most important, it requires commitment from the business management, which should see DevSecOps as a significant step to more secure products and services in an era where security concerns are on the rise.