DevOps and DevSecOps are terms that application development and security teams have become very familiar with in the past few years, especially as internet-connected users demand constant updates and improvements to applications.
In fact, DevOps is being used by more organizations, with a recent survey finding that 49 percent of companies have already adopted or are planning to adopt a DevOps strategy. Even among those who have not yet implemented DevOps, another 33 percent are thinking about it.
And for good reason; it works.
The same survey found that almost all those implementing DevSecOps (97 percent) saw some type of improvement, ranging from better collaboration and productivity, reduction in coding errors, and better morale among internal team members.
A closer look at the difference between DevOps and DevSecOps—and the benefits and best practices around DevSecOps—demonstrates how this philosophy helps development and security teams work better together, while providing additional benefits to the application development process.
What’s in a name? DevOps versus DevSecOps
The name says it all. DevOps is the combination of the development side and the operations side (installation and configuration of servers, networks, storage, etc.) of software application design and development. This mashup evolved naturally as more applications were built and managed in the cloud, which allowed much higher update frequency for Agile applications.
But high-frequency updates require two things: 1) Your development team has something worthy of an update; and 2) Your IT operations team is capable of implementing these updates without breaking the application. This can only be achieved when the walls that traditionally separated development and operations teams crumble, creating a truly collaborative environment—and this is exactly what DevOps accomplishes. It breaks down the traditional silos that exist and puts the user at the center of the application development process.
But then an important question was asked: “What about security?” The traditional model of addressing application security at the end of development did not mesh with the high-frequency update model of DevOps. Security needs to be an integral part of the process as well, ensuring that rapid releases do not jeopardize application security.
The combination of DevOps and security led to DevSecOps. This philosophy maintains everything about DevOps and adds the security team to the process. It acknowledges the importance of security throughout the entire software development lifecycle, with attention being given to security in every step of the development process.
This does have its challenges. Historically, security teams are viewed as naysaying obstacles, holding up development and making it harder to hit deadlines as issues are identified and need to be fixed.
Many times, developers try to ignore security counterparts, forging ahead with development. Developers are, at times, reticent to change code that works as intended to combat a vulnerability that might be real. Unfortunately, security cannot be ignored, or your application becomes vulnerable to attackers.
An environment of collaboration and communication must be created between development and security with two goals in mind:
- Deploy quickly.
- Identify and correct issues as they occur.
The benefits of DevSecOps
- Improved collaboration and cooperation—The first line of the DevSecOps Manifesto summarizes this benefit perfectly: “Through Security as Code, we have and will learn that there is simply a better way for security practitioners, like us, to operate and contribute value with less friction.” The DevSecOps philosophy brings together the goals of development, operations, and security, so all three areas work towards the same goals of quick and secure deployments. Security teams cease to be seen as obstructionists when they are part of the process from the start; they’re on the team, not spectators with opinions.
- Better application security—By integrating security into the entire development process, issues are identified faster and can be resolved right away. Applications are less vulnerable to attack, increasing the success of the app and improving your reputation.
- Improved speed to market—This applies to both the initial release and all application updates. The agility of DevSecOps not only gets your application to market faster, but it also allows for fast updates. Applications supported by a united DevSecOps team can quickly coordinate new features and functionality, giving your app longevity. Apps that improve and expand constantly over a long period of time have a longer effective window to earn revenue, so your application is more competitive, and stays that way.
- Cost savings—It costs less money to fix issues earlier in the development process, when less code is involved. Waiting until your entire source code is complete is a much more intensive effort that drains resources. Fixing errors after deployment is an even bigger headache, as you also risk losing customers and tarnishing your reputation.
Best practices for a successful DevSecOps implementation
- Work in their environment—Security teams should familiarize themselves with the tools developers are using. These tools should be used to communicate security issues as soon as they are found. When security teams work in the developers’ preferred environment, issues are much more likely to be resolved. It makes it easy for developers to see what needs to be fixed and to track progress towards remediation.
- Create the culture—DevSecOps is a culture. Business leaders need to instill processes, procedures, and a shift in mindset that security is just as important as development. Both sides need to appreciate the importance of the other, so security understands the priority of keeping development moving along, and developers understand that releasing an unsecure application update is not an option.
The aim is to have a culture in which developers are not blamed for things slowing down due to security issues; ideally, this is also an environment where security experts take steps to speed up the application security testing process and make it more efficient. The entire company must understand the concept and accept it, with the two sides of development and operations working together efficiently.
But creating this kind of culture relies heavily upon administrators and management. They need to understand that deadlines need to be managed based on both security and development. Sales and marketing also need to set customers’ expectations appropriately as to when an application or an update will be ready.
- Constantly educate and train employees—Developers and security team members will adopt a better appreciation of each other if they have a solid understanding of what is happening on the other side. Regular education and training around security can help developers appreciate its importance and can even help reduce the errors to be addressed in the first place. Some basic education on development for the security team (particularly the tools used by developers to track progress) helps the security team understand the development process. Security can also use developers’ preferred tools for logging issues. It’s a win-win.
- Automation—An efficient DevSecOps approach automates as many processes as possible between development, operations, and security. This helps teams build, test, and release applications and updates more quickly. Automation largely relies on the use of DevSecOps security tools and application security testing tools, which are discussed below.
DevSecOps security testing and tools
DevSecOps requires application security testing to be performed continuously throughout the development process so issues can be addressed immediately. The DevSecOps approach also demands the use of multiple types of application security testing tools so your application gets comprehensive security coverage throughout the development process.
The types of tools used include:
- Static Application Security Testing (SAST) tools
- Dynamic Application Security Testing (DAST) tools
- Interactive Application Security Testing (IAST) tools
- Threat Modeling Tools
For a closer look at these tools, consult our recent blog post.
Here are some tips on how to make application security testing more efficient within the DevSecOps environment:
- Create levels of application security testing—A more general level of testing can be done with each release, with more in-depth testing being done on a set schedule. This keeps security in the process at all times, while keeping updates moving at a fast pace.
- Use chat tools to foster communication—Instant messaging tools such as Slack can help development, operations, and security team members communicate as work is being done. Ideas can be exchanged, and the line of communication is always open. Just be sure to record any important information or decisions in a formal issue tracking tool, such as Jira.
- Use an application vulnerability manager—This is a tool that manages the results from application security testing tools and streamlines the application security testing process. An application vulnerability manager delivers the following benefits:
- Results from multiple tools are de-duplicated, dramatically reducing the volume of findings to make it more manageable for your security team to identify which threats are the most important and should be addressed first.
- Code can be automatically checked for compliance with regulations, such as HIPAA, the DISA-STIG, and the PCI DSS. Violating lines of code are flagged, making remediation easier.
- Reporting options make it easy to sort and organize results. Reports can also be used to track remediation progress, so you can make sure your development team is staying on top of security issues.
- Lines of code that contain errors are flagged, and issues can easily be assigned and tracked from one central console.
- Integration with the development workflow allows your security team to work within the environment developers are accustomed to. A good tool will integrate with Eclipse and Jira, for example, so developers can easily track issues without having to leave their preferred development environment.
- Some tools offer Hybrid Analysis, which compares the results from SAST tools and DAST tools to quickly determine which vulnerabilities are actually exploitable. This automates a lengthy and expensive confirmation process, and provides a short list of high priority vulnerabilities.
DevSecOps is the ideal approach for creating a competitive, revenue-generating application. In a DevSecOps culture, all sides work together efficiently, so applications and future updates are secure and released quickly. It does take some work to create an effective DevSecOps culture, but with the right attitude and the right tools, it can be achieved.