Why DevSecOps is Needed.

A short background on DevOps

DevOps combines people, processes, and automation to deliver continuous value to the organization. The very definition of DevOps is Development and Operations (Op’s) teams should work closely together as integrated teams to achieve the best possible results. The departments merge and work together towards common goals. Continuous integration and deployment (CI / CD) of the finished code requires a different organization and culture than before. DevOps unites culture, working methods, and tools and creates the best conditions for success.  According to GitLab research [ref], 82% of developers are releasing code faster than before because of DevOps, with 70% provisioning and managing their infrastructure. These statistics prove the progress DevOps has made to solve the complexities in the development lifecycle.

Definition of DevSecOps

DevSecOps is a combination of DevOps and IT (Information Technology) Security Operations. DevSecOps is the next step in a movement towards a better security culture. The need for DevSecOps originates from the lack of security in the DevOps implementation.  The DevSecOps practice is building security into the entire software development cycle; a few key areas are:

• Planning
• Build
• Testing
• Deploying
• Operations

In practice, a DevSecOps should be involved from the start of the design and in all the stages to Operations. By implementing security into the lifecycle and making security reports available directly to the developers, it allows for faster resolution and shifting the security responsibility towards the teams instead of silos.  In an ideal world, DevOps and DevSecOps should be one; security should be baked in at every stage. A DevSecOps is highlighting the business need to strengthen and protect the company’s reputation and the community it serves. By taking the ownership to lead security within the Op’s team, The DevSecOps team should contribute by sharing security knowledge, so DevSecOps and DevOps align as one.

Security challenges that DevSecOps addresses and how they differ from yesterday’s challenges

In the era of cloud technology, security has become one of the highest priorities for many organizations due to an increase in threats and legal responsibility. Keeping up to date with

new vulnerabilities and compliance can, however, become time-consuming and costly. According to Gartner, in 2019, the IT Security spendings were set to exceed $124 Billion. [ref]

Organizations have started to adopt DevSecOps to have a more comprehensive and proactive approach. The question becomes, what does the DevSecOps philosophy achieve compared to an old fashion security approach?

The old ways of security teams must adapt to a rapidly changing environment that makes traditional security procedures inadequate. Two significant influences that make traditional security procedures obsolete are shorter and faster software lifecycles and less isolated microservice eco-system. This is compared to typical architects that are not based on microservices.

DevSecOps introduces an idea of thinking about security from the start, and one example is using security plugins in the development process like the IDE. With this simple change, developers can already start catching vulnerabilities before the code has even been committed to their repository. In an older approach, these vulnerabilities would not have been caught until a later stage in the lifecycle or worse until it has already been exploited.  Development lifecycles are no longer dependent on having teams collaborate to fix vulnerabilities or large teams having to assess newly developed code for vulnerabilities. These old security processes tend to create long lead times and require more staff to match the development speed in which the DevOps approach brings.

The DevOps approach is to automate tasks where possible. The same applies to DevSecOps. When DevSecOps has been correctly implemented, developers can catch and fix vulnerabilities before release. As the organizations grow, the automation stays the same, meaning no additional staff cost to scaling security services, no additional lead times in the development lifecycle.

Challenges in establishing DevSecOps

All implementations have their challenges, hence why it is so important to focus on the correct things right from the start. Culture and behavior are one of the key item' s organizations need to address when implementing DevSecOps. As DevSecOps divides the security responsibility to multiple teams, it is important to make sure everyone understands why security is so important and why you must think about it at every step of the way. One way of solving the awareness is to hold relevant security education annually; an example of this would be to simulate attacks for all stakeholders to relate.

Why is it so important for people to understand security if the tools are doing most of the work?

All security vulnerabilities are important but there are so many types of security vulnerabilities, it can become confusing and overwhelming. Guidelines for which types of vulnerabilities and the impact levels should be priorities, therefore defined so that the organization knows where to focus its time and effort.

Another challenge that organizations often face, is finding the correct tools and services to properly support the development teams. Technology stacks may differ between organizations, so finding the right skill set to understand what service is needed for a specific technology stack comes as the first challenge. Once the correct services have been found, it is important to implement, configure, and integrate these services to fit the specific technology stack in the organization.

How does ELITS fit in? And How can ELITS help your organization?

ELITS has a wide range of skilled consultants who have experience with just this type of implementations and migrations. With our knowledge and long experience as well as the partnership with Trend Micro, you can safely contact us with your inquiries.

Read more about our security solutions here. | Other services are available here.