DevSecOps

What is DevSecOps?

DevSecOps, a relatively new term in the application security (AppSec) space, is about introducing security earlier in the software development life cycle (SDLC) by expanding the close collaboration between development and operations teams in the DevOps movement to include security teams as well. It requires a change in culture, process, and tools across the core functional teams comprising development, security, testing, and operations. Basically, DevSecOps means that security is a shared responsibility, and everyone involved in the SDLC has a role to play in building security into the DevOps CI/CD workflow.[1]

As the speed and frequency of releases increase, traditional application security teams cannot keep up with the pace of releases to ensure each release is secure.

To address this, organizations need to build in security continuously across the SDLC so that DevOps teams can deliver secure applications with speed and quality. The earlier you can introduce security into the workflow, the sooner you can identify and remedy security weaknesses and vulnerabilities. This concept is part of “shifting left,” which moves security testing toward developers, enabling them to fix security issues in their code in near real time rather than waiting until the end of the SDLC, where security was bolted on in traditional development environments.

Through DevSecOps, organizations can integrate security seamlessly into their existing continuous integration and continuous delivery (CI/CD) practice. DevSecOps spans the entire SDLC from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.

What is DevOps?

DevOps is an ideology comprising three pillars—organizational culture, process, and technology and tools—to help development and IT operations teams work collaboratively to build, test, and release software in a faster, more agile, and more iterative manner than traditional software development processes.

According to The DevOps Handbook, “In the DevOps ideal, developers receive fast, constant feedback on their work, which enables them to quickly and independently implement, integrate, and validate their code, and have the code deployed into the production environment.”[2]

In simple terms, DevOps is about removing the barriers between two traditionally siloed teams, development and operations. In a DevOps model, development and operations teams work together across the entire software application life cycle, from development and testing through deployment to operations.

DevOps versus DevSecOps

Virtually all modern software organizations now use an agile-based SDLC to accelerate the development and delivery of their software releases, including updates and fixes. Development methodologies such as DevOps and DevSecOps use the agile framework for different purposes. DevOps focuses on the speed of app delivery, while DevSecOps augments speed with security by delivering apps that are as secure as possible as quickly as possible. The goal of DevSecOps is to promote the fast development of a secure codebase.[3]

According to DevSecOps philosophy, organizations should integrate security into every part of the DevOps life cycle, including inception, design, build, test, release, support, maintenance, and beyond. In DevSecOps, security is the shared responsibility of everyone in the DevOps value chain. DevSecOps involves ongoing, flexible collaboration between development, release management (or operations), and security teams. In short, DevSecOps helps you maintain velocity without compromising security.

Why is DevSecOps important?

Ultimately, DevSecOps is important because it bakes security into the SDLC earlier and on purpose.[4] When development organizations code with security in mind from the outset, it’s easier and less costly to catch and fix vulnerabilities before they go too far into production or after release. Organizations in multiple industries can implement DevSecOps to break down silos between development, security, and operations so they can release more secure software faster:

Automotive: to reduce lengthy cycle times while still meeting software compliance standards such as MISRA and AUTOSAR
Healthcare: to enable digital transformation efforts while maintaining the privacy and security of sensitive patient data per regulations such as HIPAA
Financial, retail, and e-commerce: to help fix the OWASP Top 10 Web Application Security Risks and maintain data privacy and security compliance with PCI DSS payment card standards for transactions among consumers, retailers, financial services, etc.
Embedded, networked, dedicated, consumer, and IoT devices: to write secure code that minimizes the occurrence of the CWE Top 25 Most Dangerous Software Errors

5 Steps to Integrate SAST Into the DevSecOps Pipeline

Watch Now

Which application security tools do you need to implement DevSecOps?

To implement DevSecOps, organizations should consider a variety of application security testing (AST) tools to integrate into their CI/CD process. Some commonly used AST tools follow:

Static application security testing (SAST)
Software composition analysis (SCA)
Interactive application security testing (IAST)
Dynamic application security testing (DAST)

SAST

SAST tools scan proprietary code, or custom code, for coding errors and design flaws that could lead to exploitable weaknesses. SAST tools are used primarily during the code, build, and development phases of the SDLC. Coverity is one such SAST tool.

SCA

SCA tools such as Black Duck scan source code and binaries to identify known vulnerabilities in open source and third-party components. They also provide insight into security and license risks to accelerate prioritization and remediation efforts. In addition, they can be integrated seamlessly into a CI/CD process to continuously detect new open source vulnerabilities, from build integration to pre-production release.

IAST

IAST tools, working in the background during manual or automated functional tests, analyze web application runtime behavior. For example, the Seeker IAST tool uses instrumentation to observe application request/response interactions, behavior, and dataflow. It detects runtime vulnerabilities and automatically replays and tests the findings, providing detailed insights to developers down to the line of code where they occur. This enables developers to focus their time and effort on critical vulnerabilities.

DAST

DAST is an automated black box testing technology that mimics how a hacker would interact with your web application or API. It tests applications over a network connection and by examining the client-side rendering of the application, much like a pen tester would.[5] DAST tools do not require access to your source code or customization to scan your stack. They interact with your website and find vulnerabilities with a low rate of false positives. For example, Tinfoil Security DAST tools identify vulnerabilities on web applications and APIs, including web-connected devices such as mobile back-end servers, IoT devices, and any RESTful or GraphQL APIs.[6]

[1] https://www.csoonline.com/article/3245748/what-is-devsecops-developing-more-secure-applications.html

[2] https://itrevolution.com/book/the-devops-handbook/

[3] https://blogs.cornell.edu/react/devops-vs-devsecops-what-is-the-difference/

[4] https://enterprisersproject.com/article/2018/1/why-devsecops-matters-it-leaders

[5] https://jaxenter.com/dast-devops-166973.html

[6] https://www.channele2e.com/investors/exits/synopsys-buys-tinfoil-security/