The ins and outs of DevSecOps

Here’s the thing about DevOps and security – they are so finely interwoven that it has created a practice known as DevSecOps.

The concept of DevOps is not new. The traditional explanation of it breaking the siloes between development and operations is a good starting point, but in reality, DevOps is a culture – a combination of philosophies, practices and tools that increase an organisation’s ability to deliver applications and services at high velocity. DevOps is about evolving and improving products at a faster pace than organisations using traditional software development and infrastructure management processes.

In addition to this change of culture where you enable a more rapid development lifecycle (SDLC) by having the engineers as part of every step, other benefits of the DevOps way of life include increased reliability, easier scaling, improved collaboration, and better security by virtue of preserving compliance through automated compliance policies, fine-grained controls and configuration management techniques.  

But here’s the thing about DevOps and security – they are so finely interwoven that it has created a practice known as DevSecOps. Here’s what you need to know.

DevSecOps is a natural and necessary evolution in the way development organisations approach security with the development, security and operations teams highly aligned. In the past, security was often “tacked on” to software at the end of SDLC by a separate security team and tested by a separate quality assurance (QA) team. This was a manageable approach when software updates were released maybe once or twice a year. But with the adoption of the DevOps culture and the shift to reducing the SDLC to weeks or even days, the traditional “tacked-on” approach to security created an unacceptable bottleneck.

DevSecOps is the practice of integrating application and infrastructure security seamlessly into DevOps processes and tools. It addresses security issues as they emerge before going into production – making it easier, faster and less expensive to fix.

The benefits of DevSecOps

Improved, proactive security

DevSecOps introduces cybersecurity processes from the beginning of the SDLC. This means that throughout the lifecycle code is proactively reviewed, audited, scanned and tested for security issues… and then addressed once identified. Additionally, better collaboration between development, security and operations teams improves an organisation’s ability to respond to incidents and problems when they occur.

Rapid, cost-effective software delivery

As above, fixing code and security issues can be a time-consuming and expensive task once an application has moved into the production state. By adopting DevSecOps, you can better ensure rapid, secure delivery while minimising the need to repeat a process to address any security bugs after the fact. This is more efficient and cost-effective since integrated security cuts out duplicative reviews and unnecessary rebuilds – ultimately making for more secure code.

Accelerated security vulnerability patching

A key benefit of DevSecOps is how quickly it manages newly identified security vulnerabilities as scanning and patching for common vulnerabilities and exposures are worked into the release cycle, freeing up the security teams to focus on higher value tasks. Because of this, the opportunity window threat actors have to take advantage of any vulnerabilities in public-facing production systems is limited.

Automation in modern development

In this age where automation in development is more and more common, DevSecOps offers the potential for cybersecurity testing to be integrated into an automated test suite for organisations that make use of continuous integration / continuous development (CI/CD) pipelines to ship their software. It’s important to note however that the automation of security checks strongly depends on the individual project and organisational goals.

As an aside, automated testing can ensure incorporated software dependencies are at appropriate patch levels, and confirm that software passes security unit testing. Plus, it can test and secure code with static and dynamic analysis before the final update is promoted to production.

Repeatable and adaptive

As organisations mature, so too do their security processes. DevSecOps lends itself to repeatable and adaptive processes, ensuring security is applied consistently across the environment, adapting and changing according to environment changes and new requirements. A mature implementation of DevSecOps will have security built into every layer of the platform: solid automation, configuration management, immutable infrastructure, as well as hardened orchestration and serverless compute environments.

BBD’s approach to DevSecOps

As an international software development company with extensive experience across a wide variety of sectors and technologies, BBD’s approach to delivering client solutions is focused on a custom fit nature where we first get to know your business, your technical landscape and your strategic goals, before suggesting the best roadmap and technologies to use for your project.

This means that we have matured our approach to security and development as a whole. We believe in adopting the principle of DevSecOps by integrating security throughout the software lifecycle as a shared responsibility between development, security and operations teams.

Some of our best practice considerations include:

Shift left (a common DevSecOps mantra): This encourages software engineers to move security from the end of the release process to the beginning.

Security education: Security is a combination of engineering and compliance. Through on-going education our engineers can better understand threat models and compliance checks, and have a working knowledge of how to measure risks, exposure and implementing security controls.

Culture (communication, people, processes and technology): We’ve learnt that to help foster the changes required to truly embrace DevSecOps practices, encouraging and supporting a sense of ownership in the people involved in the project produces the best results. Often, this comes down to guidance and good communication.

Traceability, auditability and visibility: Implementing these into a DevSecOps process leads to deeper insights and an overall more secure environment. Automating them takes much of the burden off of our clients as well as our teams on the ground.

DevSecOps in the cloud

With the ubiquity of the cloud in today’s working and technological landscape, DevSecOps calls for security to extend to cloud-based environments and best practices. In the case of AWS projects, BBD teams make sure that AWS security best practices are considered as well.

We do this by ensuring that the development, security and operations teams have answers to these questions:

• How will data be protected, and what are the encryption requirements for data at rest and in transit?
• How will the implementation of security architecture meet security standards, and deploy security solutions?
• Which users can access the network, and how will they be identified?
• What is the incident response strategy?
• How will logging and monitoring be completed so that relevant security data can be collected and analysed for resource related activities?
• How can we ensure we have a complete audit trail of all actions in our cloud environment?

As part of our solution to these questions, we often introduce the following AWS services:

• Amazon GuardDuty for threat detection
• AWS Security Hub to automate cloud security best practice checks
• AWS Identity and Access Management (IAM) for access control across AWS
• AWS Directory for Microsoft Active Directories
• AWS Artifact for compliance-relation information
• AWS CloudTrail to log, monitor, retain activity information and simplify security analysis

If you’re interested in working with a partner who can successfully implement a DevSecOps culture into your environment while ensuring effective and consistent software delivery, reach out to us.