Introduction to DevSecOps

This blog is about introduction to “DevSecOps”. In short why it is used, in which phase it is used, and what are benefits of it.

So, what is “DevSecOps”?

DevSecOps—short for Development, Security, and Operations—basically automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.

Why DevSecOps is important?

• DevSecOps represents a natural and necessary evolution in the way development organizations approach security. In the past security check was almost after end of software development lifecycle phase by a separate security team and was tested by a separate quality assurance (QA) team.
• This was manageable when software updates were released just once or twice a year. But now a day’s software developers follow Agile and DevOps practices, aiming to reduce software development cycles to weeks or even days, the traditional approach to security created an unacceptable situation.
• DevSecOps uses continuous and automated security testing even before the application goes into production. It implements issue tracking to ensure the early identification of any defects. It also leverages automation and testing to ensure more effective security tests throughout the software development lifecycle.

How to enable DevSecOps on current DevOps pipeline/SDLC:

Phase 1: Secure Local Development.

Start by implementing secure working-environments. When you are developing an application, in most cases you will use open-source technologies. Docker is a great helper at this phase since it automates the infrastructure and services deployments on local machines. So, when you are using this ready-to-go docker environment, make sure that you are using the most recent/updated versions of the Docker Images and scan them for vulnerabilities. Even the images from official providers have vulnerabilities that need to be patched.

Phase 2: Version Control and Security Analysis.

Enable Vulnerability while uploading your source code. Having multiple hands or people working at a piece of code can lead to vulnerabilities, especially when they are remote. Git systems have been a great improvement for collaboration between team members and code. When a team member uploads a piece of code, I strongly suggest that you enable automated testing for security on your code dependencies and core. Some good alternatives to do it is Snyk.

Phase 3: Continuous Integration and Build.

When creating the development image/package, you’ll need to make sure that your build tool or system has the proper security in place. It uses https:// protocol, it’s properly hardened and secure, it’s available and protected for attack mitigation or even not accessible via the internet. The tools that you can use here are Jenkins, AWS CodeBuild, Google Cloud Functions, Azure DevOps.

Phase 4: Promotion and Deployment.

When deploying to an environment, insert the environment variables through your CI/CD tool and try to manage them as secrets. Proper encryption and management of these are recommended in order to enhance your security protocols.

Phase 5: Infrastructure Security.

When your app is deployed, make sure that you have an IDS (Intrusion Detection System). Tools such as OSSEC will help on this matter to protect all your hosts.

What are benefits of DevSecOps?

• As mentioned earlier, you can identify vulnerabilities at a very early stage in your pipeline, thus making it exponentially easier to fix it. And since continuous monitoring is in place, it enhances your threat-hunting capabilities. Business-wise, the more secure a product, the easier it is to sell.
• Discovering vulnerabilities in the beginning stages of SDLC means you can significantly lower the costs incurred to fix them. Multiple teams coming together to work on security improves accountability. Such collaboration also facilitates coming up with quick and effective security response strategies and more robust security design patterns.
• DevSecOps minimizes the frequency of security bottlenecks as well. There’s no need to wait for the development cycle to finish before running security checks. These two factors accelerate the speed of product delivery.

References:

1. https://devops.com/what-is-devsecops-and-how-to-enable-it-on-your-sdlc/

2. https://about.gitlab.com/handbook/marketing/strategic-marketing/usecase-gtm/devsecops/