I’ve been working on multiple CI/CD initiatives with a wide array of customers in my rather new role. While, it is revelation in how industry has changed in less than couple of years, it is also great to see the new and cutting edge technology helping make the Time To Market (TTM) short and products more user focused. As a result of my recent learning in the field and of interactions with customers and their DevOps – I thought I’d put out a short article on these lines.
So, there’s this question almost always wandering in customer meetings on – What is DevSecOps?
There’s one simple way to explain what it is and why the new ways of working (agile) needs it more than ever. In its entirety – DevSecOps is the inclusion of leading practices and tools around secure code development via secure Software Development Life Cycle (SDLC).
A more comprehensive way to portray the concept of DevSecOps is – Following the security leading practices and deliver code which is secure by design. Inclusion of code review tools as well as Static Application Security Testing (SAST), and where applicable/possible Dynamic Application Security Testing (DAST). Lastly, create a cultural change where People Process and Technology (PPT) aren’t disconnected; rather connected and online with whole concept of security being intrinsic part of development process than an afterthought.
Following are some of the key initiatives which facilitate (not just theoretical but practical) DevSecOps adoption and execution.
Secure Coding Practices
Observing secure code development practices which lead to development of software that has a high resilience to exploits and vulnerabilities. This includes (and in no way is limited to) not hard coding credentials or secrets, adhering to coding standards, and keeping an eye on OWASP top 10 vulnerabilities and their origins as well as remediation.
Threat Modeling
While many would not see immediate value in spending cycles in threat modeling and coming up with a threat model around an application going live soon (such is today’s rapid pace); a commitment to have mapped out threat actors, threat surface, threat vectors, and everything that can potentially jeopardize a software or app is worth the while. Yet, many organization don’t go through this exercise and this is not on the development or IT teams – it’s more on management that drives or decides not to push for time and effort in this direction.
Automation in environment provisioning and testing
Testing and automation have a huge bearing on quality of code being produced. Humans can er but automation can reduce errors hence, adopt automation of deploying infrastructure for code testing (or Infrastructure as Code / IaC) as well as automation in testing (using Terraform or Ansible) for code and configuration checks in pre-production environments using regression testing.
Leverage extended security capabilities
It is in interest of any DevOps team to leverage the extended reach of InfoSec or IT Security team’s expertise to enable the code to be resilient to cyber attacks. The findings from the deep dark web as well as security research groups are very helpful in creating defenses against the known and being unyielding to unknown threats.
DevSecOps helps revolutionize the way organizations handle security while developing apps or software. While there can be deprivation from budget or manpower (or even security expertise) perspective, the benefits of subscribing to DevSecOps are far greater than the risk of not adhering to ‘secure’ new ways of working.