February 18, 2021
Moving from DevOps to DevSecOps
Involving security early in the development process improves outcomes.
The DevOps approach to software development is gaining great popularity with IT organizations. This approach, which places software developers and operations specialists side by side on project teams, creates flexibility, improves efficiency and results in reduced rework after code is deployed to production. The benefits of this collaborative approach are undeniable, but many organizations that have embraced DevOps are finding that their current approach pays insufficient attention to a critical component: cybersecurity.
The DevSecOps approach to software development seeks to integrate the cybersecurity function into the DevOps model as an equal partner. When development teams do not include security professionals, they often find that the submission of their code for security reviews results in critical unexpected findings, resulting in costly rework and project delays.
Just as DevOps sought to build a collaborative culture between development and operations, DevSecOps seeks to extend the scope of that collaboration to include cybersecurity teams.
Involving Security Every Step of the Way
In a standard software development process, the team moves iteratively through a variety of stages, beginning with the design of software requirements. The process continues through the development of code, the building and testing of executables, and the release to production — ultimately leading to the code being adopted as part of ongoing operations. The DevSecOps model seeks to add security feedback loops and checkpoints to each of those activities, rather than conducting security as a late-stage, separate review. We commonly refer to this goal as “shifting security left” to earlier stages in the software development process.
For example, organizations that consult with security teams in the design phase of new software development projects can anticipate the threats their code will face and design defenses against those threats as a core requirement of the software, rather than as a costly after-the-fact bolt-on solution. Similarly, DevSecOps teams can build enforced automated security testing directly into the development pipeline. When developers submit new code for review, an automated security test process is triggered that provides them with immediate feedback on potential flaws and required fixes. This tight feedback loop not only improves the potential risks within the code but also allows developers to learn from their mistakes and build better code in the future.
How to Get Started with DevSecOps
Organizations typically begin experimenting with DevSecOps on a project-by-project basis as selected teams test the new approach and develop a model that suits the requirements and culture of the organization. However, when they seek to extend this approach to more projects, they often realize that the organization simply doesn’t have enough cybersecurity professionals on staff to meet its needs. One great way to overcome this obstacle is to assign a security champion on each project team who is responsible for ensuring the integration of security efforts. These individuals don’t need to be cybersecurity experts and are commonly developers or engineers already assigned to the project. They work closely with the cybersecurity team and represent those interests at project meetings.
Once an organization finds an approach that works, it is important to standardize and enforce as much as possible. Using common integration points between software development teams and cybersecurity functions improves consistency, reducing the effort required to meet security requirements and improving the organization’s risk management program.