DevOps Security and DevSecOps
DevOps security, more commonly referred to as DevSecOps, refers to the discipline and practice of safeguarding the entire DevOps environment through strategies, policies, processes, and technology. The DevSecOps philosophy is that security should be built into every part of the DevOps life cycle, including inception, design, build, test, release, support, maintenance, and beyond.
Traditional security operates from the position that once a system has been designed, its security defects can then be determined and corrected before release. With the change to a DevOps model, traditional security practices occur too late in the development cycle and are too slow for the design and release of software built by iteration. Thus, they can become a major roadblock to delivering applications and services at speed.
With DevSecOps, security becomes the focus of everyone on a DevOps team. DevSecOps has the goal of implementing security decisions at speed and scale without sacrificing safety. DevSecOps involves ongoing, flexible collaboration between release engineers and security teams. The concepts of “speed of delivery” and “building secure code” are merged into one streamlined process. Security testing is done in iterations without slowing down delivery cycles. Critical security issues are dealt with as they become apparent, not after a threat or compromise has occurred.
How to find the right DevOps tools
DevOps practices rely on effective tools to help teams rapidly and reliably deploy and innovate for their customers. These tools should automate manual tasks, help teams manage complex environments at scale, and keep engineers in control of the high-velocity pace that is DevOps.
The DevOps workflow consists of phases:
- Planning the next iteration of the product’s development
- Building the code
- Testing and deploying to the production environment
- Delivering product updates
- Monitoring and logging software performance
- Gathering customer feedback
Planning. Schedule planning and task tracking tools are needed to ensure the DevOps team knows what tasks are at hand, what is currently being done, and whether there are any risks of falling behind schedule. Tools like Confluence and Jira help DevOps teams achieve a seamless and efficient project management cycle and ensure timely product delivery.
Build and delivery. Developers need rapid deployment of development and testing environments and can’t wait long for repairs when something goes wrong. Docker containerization ensures consistency across multiple development and release cycles and provides repeatable development, build, test, and production environments. Other popular tools for this phase include Kubernetes, Terraform, Chef, Ansible, and Puppet.
Testing. Look for tools such as Jenkins, CircleCI, and GitLab CI, which help minimize the time and effort devoted to testing without compromising the code quality or user experience.
Software monitoring and logging. Once software is moved to production, it must be monitored to ensure stable performance and increased customer satisfaction. This stage also involves performance analysis and logging, raising smart alerts on various issues, gathering customer feedback, and so on. Tools for performing these tasks include Prometheus, Grafana, Elastic (ELK) Stack, Splunk, and Sumo Logic.