The primary goal of DevSecOps is to ensure Security and Operations team members are engaged and collaborating with Development and Test from the very beginning of a project/product development. In addition to cultural shifts, it demands a linked toolchain of technologies to facilitate collaborative change. It requires pushing past departmental lines for more effective planning, design, and release of secure products. As organizations continue to build upon automated delivery, they find there are opportunities to test for issues beyond typical bugs – potential security flaws, design defects, and code weaknesses. Imagine being able to identify and fix flaws earlier in the delivery process, before they are exposed to the public.
Implementing DevSecOps in an organization requires building a single group of engineers (developers, admins, testers, security engineers) that have end-to-end responsibility of the application from requirements to deployment to monitoring and back to implementing new changes. This process forms a set of stages that can be carried out in a continuous loop until the desired product is achieved. The diagram below shows you the steps in a DevSecOps life cycle as well as some standard tools used in the toolchain.
Plan. All projects require planning. DevSecOps projects must plan user stories with more than just feature descriptions. They should include functional and non-functional requirements (like security and performance), acceptance test criteria, UI/UX designs and threat models. Security begins here at planning before a single line of code is developed. Lastly, ensure your estimates include this additional work. A story is not completed until it’s in production.
Develop. Generally, it is much less expensive to develop secure software than to correct security issues after the software package has been completed. Development teams should start by assessing the maturity of the practices, gaining sufficient resources to provide necessary guidance (like the OWASP Secure Development Guide) and implementing code reviews of software design and implementation.
Build. Automated build tools do more than compile code. A tool like Gradle can be used to enforce test-driven development, enforce standards for release artifact generation and utilize tools to ensure design and implementation comply with team coding standards and security best practices through static code analysis. Tools like Nexus Lifecycle can be used to identify vulnerable libraries in use by your application and automatically replace them with new ones.
Test. Test automation in a DevSecOps environment is much more than UI-focused Selenium tests. Strong testing practices should include unit, front-end, back-end, API, database, and passive security testing. Passive security testing can be completed with little to no effort by utilizing a robust testing framework, like Selenified with a Security Scanner in proxy mode.
Secure. Traditional security testing doesn’t go away in DevSecOps organizations, we just anticipate identifying far fewer issues late in the development process. When we identify vulnerabilities with security scanning, we often have a greater context of the issues and can more confidently determine if the vulnerability is a potential exploit or a false positive.
Deploy. Using an infrastructure as code tool, like Chef, automated provisioning and deployments can be utilized to expedite delivery of software and ensure more consistency in the development process. It can also be used to audit properties and configurations across the IT infrastructure as well as enforce secure configurations for all systems and services.
Operate. Routine maintenance and upgrades are an important component of any Operations team. Zero-day vulnerabilities need to be patched rapidly to reduce exposure time. DevSecOps team leverage infrastructure as code tools, so updates can be applied to the entire organization’s infrastructure rapidly and consistently with no human error.
Monitor. Implementing a strong continuous monitoring program makes it possible to obtain real-time evidence of how your system is performing and exploits that may be taking place against your system or its data. This allows organizations to review whether controls and systems function as intended on an ongoing basis.
Scale. Virtualization and the cloud is an important piece of any modern IT infrastructure. The ability to scale infrastructure to the changing demands of its user base, or even being able to completely replace a compromised environment in minutes are now real-world problems that we can’t successfully solve with traditional data-center Operations.
Adapt. Continuous Improvement is a hallmark of any strong Agile practice. DevSecOps practices must also continuously improve and adapt as issues (whether that be usability, security or performance) are identified. This informs decision-making, planning and how teams improve the overall SDLC.