By now, most organizations have heard of DevOps and many have begun to adopt DevOps practices as a key enabler of software delivery. Organizations who have adopted or are adopting an Agile approach find DevOps practices are a key component of the most successful adoptions. Granted, Agile can be adopted without the use of DevOps, however, DevOps truly enables Agile practices to flourish.
Organizations typically start with implementing Continuous Integration, Test-Driven Development, and Test Automation early on. Agile delivery teams embrace small, iterative development and increased code quality and with these practices in place, Continuous Delivery and Continuous Monitoring practices start taking hold. Teams focus on faster and faster delivery with less human interaction. Successful organizations build more collaboration between Development and Operations teams as they start working towards a shared goal.
While all of these practices provide strategic benefits like breaking down the traditional silos between Development, Testers, and Operations, it is unfortunately where many organizations stop. In my experience, most organizations fail to ever integrate their security programs into their development efforts. This is why the concept of DevSecOps is making such a large impact in the cyber security community. DevSecOps is a growing movement to incorporate Security into our DevOps practices to ensure loopholes and weaknesses are exposed early on through monitoring, assessment, and analysis, to that remediation can be implemented far earlier than traditional efforts.
An Example of DevSecOps in Action:
- Developers create the code and tests, that are managed by a version control system like Git.
- Changes are committed to the Git
- Jenkins pulls the code from the repository, builds and runs unit tests, as well as static code analysis (to identify code quality bugs and security defects).
- Infrastructure as code tools, like Chef, provisions an environment, deploys the application and applies security configurations to the system.
- Jenkins runs a test automation suite against the newly deployed application, including UI Tests, Backend Tests, Integration Tests, API Tests, and Security Tests.
- If the application successfully passes all tests, the application is deployed to Production, using the same infrastructure as code tools, used in the lower environments.
- The production environment is continuously monitored by tools like New Relic and Splunk to detect active cyber security threats.
DevSecOps provides a number of benefits between Development, Security, and Operations – it eliminates silos, promotes collaboration and teamwork, and identifies vulnerabilities early while still providing better, faster delivery. DevSecOps also contributes business value through dollars and resources saved, improved operations, diminished security threats, reduction of rework and increased quality through automated testing, as well as the delivery of projects/products early and often with less cycle time to the customer. In short, we can spend more time adding value to our end customers and less time (and money) fixing security vulnerabilities identified in pre-production or dealing with the fallout of security exploits in production.