For the past 3-4 years, all the companies around the IT world have adopted agile and different Application development methodologies that leverage the work for different departments or areas and helps them to develop new products and release new features to improve their processes and infrastructure.
In this new “Agile” and “DevOps” world where everybody on a team is involved in the rapid-changing and evolution of their application, we are promoting accountability for everybody in terms of security… This is when DevSecOps joins the party. But… what is DevSecOps?
1. What is DevSecOps?
DevSecOps is a new model that provides, everyone on a team, accountability for the security implementation in the application; from the planning, design, development, QA/Testing, to release, and when operating on a production environment.
When implementing DevSecOps on the Software Development Lifecycle (SDLC), an organization will experience the continuous integration and will notice that the costs for compliance are reduced, code is constantly being analyzed, tested, delivered and released properly.
DevSecOps enables the process of implementing security to everybody and makes them accountable.”Guillermo Velez
2. Why is DevSecOps important?
As I stated previously on this blog, on this rapid-changing era, everything is evolving at a very accelerated pace. We continue to discover vulnerabilities and breaches across platforms and operating systems, patches are released constantly but we as part of the Operating team of a company cannot afford the risk of having a vulnerability on any side of our IT system/application.
3. What are the main benefits that you gain when implementing DevSecOps?
- Reduces vulnerabilities present on your Code.
- Reduces vulnerabilities present on your IaC technologies.
- Reduces the number of ways to exploit your application
- Reduces downtime.
- Improves your application stability, availability, and security.
4. How can I enable DevSecOps on my current DevOps pipeline or SDLC?
There are five important phases that need to be followed in order to enable DevSecOps on a current DevOps pipeline or in the Software Development Lifecycle.
DevSecOps is a must-have methodology that needs to be integrated into your DevOps process/pipeline to help you improve your security on your SDLC”
– Guillermo Velez
Phase 1: Secure local development
Start by implementing secure working-environments (Local Secure Environments). When you are developing an application, in most cases you will use Open Source technologies. Docker is a great helper at this phase since it automates the infrastructure and services deployments on Local machines. So when you are using this ready-to-go docker environment, make sure that you are using the most recent/updated versions of the Docker Images and scan them for vulnerabilities. Even the images from official providers have vulnerabilities that need to be patched.
Phase 2: Version control and Security Analysis
Enable Vulnerability while uploading your source code. Having multiple hands or people working at a piece of code can lead to vulnerabilities, especially when they are remote. Git systems have been a great improvement for collaboration between team members and code. When a team member uploads a piece of code, I strongly suggest that you enable automated testing for security on your code dependencies and core; some good alternatives to do it, are Snyk or Sonatype’s Nexus.
Phase 3: Continuous Integration & Build
When creating the development image/package, you’ll need to make sure that your build tool or system has the proper security in place; it uses https:// protocol, is properly hardened and secure, is available and protected for attack mitigation or even not accessible via the internet. Tools that you can use here: Jenkins, Circle CI, AWS CodeBuild, Google Cloud Functions, Azure DevOps.
Phase 4: Promotion & Deployment
When deploying to an environment, insert the environment variables through your CI/CD tool and try to manage them as secrets. Proper encryption and management of these are recommended in order to enhance your security protocols.
Phase 5: Infrastructure security
When your app is deployed, make sure that you have an IDS (Intrusion Detection System). Tools like OSSEC or Wazuh will help on this matter to protect all your hosts.
Once your code gets to the production, it doesn’t mean that it will be 100% secure. New vulnerabilities are disclosed every day but this cycle will help you and your team to test your code against all the repository of known vulnerabilities, at the time of monitor, configure, reconfigure, adapt and deploy solutions to the
5. What tools and processes you need to enable in your DevSecOps process?
6. What is the ideal workflow for DevSecOps?
a. A developer creates a new code and integrates it into the VCS
b. Members from the QA team retrieves the code to perform the static code analysis to identify security flaws or functional tasks.
c. A test environment is created automatically using IaC such as Terraform, Cloudformation, Chef or Puppet and the security configurations are added to the system.
d. The test automation suite is performed to the application with a tool usually Selenium or any other tool that performs Backend, UI, Integration, Security and API tests.
e. After the test suite is performed and successful the new changes are sent to the production environment.
f. The new version of the code is now going to be monitored in the production environment using an APM or Cloud-native monitoring tool.
Following these points you are ensuring that your application is following TDD practices improving the code quality, compliance, increasing the number of releases of code to production and reducing the time to market which is essential for any organization.
7. What are the challenges when enabling DevSecOps?
1. Enabling too many tools
Enabling too many tools can become a problem on your SDLC, especially when your team is not used to work and relate with DevOps/Security tasks. The main recommendation here is to start slow. Start by enabling only the necessary tools to get your team familiar with the process and add more when you feel your team is prepared for it.
2. Getting used to the methodology
It will take some time for all the team to get used to the DevSecOps methodology/culture and also to keep following it in order to be compliant with the normative that your business demands. Try to always stay up-to-date and coaching your team for the newest technologies.
3. Chasing perfection on the process
Take in mind that all the DevSecOps process won’t be perfect ever, but it will get mature over time. Teams always try to chase perfection and this only leads to more problems with even more integrations or dependencies.
In the end
Well, in the end, I think that every organization must make the effort to shift to a DevSecOps methodology or process and come up with a multidisciplinary team with a focus on security. That’s how an organization will transit from doing DevOps to DevSecOps. Allowing all their collaborators to have accountability on the part they are actively developing. Hopefully, you found this blog about what is DevSecOps interesting. Leave a comment below and tell me your opinion.