Table of Contents

Definition

DevSecOps is a trending practice in application security (AppSec) that involves introducing security earlier in the software development life cycle (SDLC). It also expands the collaboration between development and operations teams to integrate security teams in the software delivery cycle. DevSecOps requires a change in culture, process, and tools across these core functional teams and makes security a shared responsibility. Everyone involved in the SDLC has a role to play in building security into the DevOps continuous integration and continuous delivery (CI/CD) workflow.

The Top Three Ways to Build Security into DevOps

This eBook details three ways of achieving security with speed. 

  • Run the right test at the right time and to the right depth
  • Align remediation efforts with business risks
  • Empower developers to secure code as fast as they write it  

What is DevOps?

DevSecOps evolved to address the need to build in security continuously across the SDLC so that DevOps teams could deliver secure applications with speed and quality. Incorporating testing, triage, and risk mitigation earlier in the CI/CD workflow prevents the time-intensive, and often costly, repercussions of making a fix postproduction. This concept is part of “shifting left,” which moves security testing toward developers, enabling them to fix security issues in their code in near real time rather than “bolting on security” at the end of the SDLC. DevSecOps spans the entire SDLC, from planning and design to coding, building, testing, and release, with real-time continuous feedback loops and insights.

DevOps is an approach to software development that centers on three pillars—organizational culture, process, and technology and tools. All three are geared toward helping development and IT operations teams work collaboratively to build, test, and release software in a faster, more agile, and more iterative manner than traditional software development processes.

According to The DevOps Handbook, “In the DevOps ideal, developers receive fast, constant feedback on their work, which enables them to quickly and independently implement, integrate, and validate their code, and have the code deployed into the production environment.”

In simple terms, DevOps is about removing the barriers between two traditionally siloed teams. In a DevOps model, development and operations teams work together across the entire software application life cycle, from development and testing through deployment and operations.


How is DevOps different from DevSecOps?

Modern software development leverages an agile-based SDLC to accelerate the development and delivery of software releases, including updates and fixes. DevOps and DevSecOps use the agile framework for different purposes. DevOps focuses on the speed of app delivery, whereas DevSecOps augments speed with security by delivering apps that are as secure as possible as quickly as possible. The goal of DevSecOps is to promote the fast development of a secure codebase.

Core to DevSecOps is integrating security into every part of the SDLC—from build to production. In DevSecOps, security is the shared responsibility of all stakeholders in the DevOps value chain. DevSecOps involves ongoing, flexible collaboration between development, release management (or operations), and security teams. In short, DevOps focuses on speed; DevSecOps helps maintain velocity without compromising security.


What is DevSecOps? | Synopsys

Why is DevSecOps important?

Ultimately, DevSecOps is important because it places security in the SDLC earlier and on purpose. When development organizations code with security in mind from the outset, it’s easier and less costly to catch and fix vulnerabilities before they go too far into production or after release. Organizations in a variety of industries can implement DevSecOps to break down silos between development, security, and operations so they can release more secure software faster.

  • Automotive: DevSecOps reduces lengthy cycle times while still ensuring that software compliance standards such as MISRA and AUTOSAR are met
  • Healthcare: DevSecOps enables digital transformation efforts while maintaining the privacy and security of sensitive patient data per regulations such as HIPAA
  • Financial, retail, and ecommerce: DevSecOps helps ensure that the OWASP Top 10 web application security risks are addressed and maintains PCI DSS data privacy and security compliance for transactions among consumers, retailers, financial services, and so on
  • Embedded, networked, dedicated, consumer, and IoT devices: DevSecOps enables developers to write secure code that minimizes the occurrence of the CWE Top 25 most dangerous software errors

Which application security tools are used in DevSecOps?

To implement DevSecOps, organizations should consider a variety of application security testing (AST) tools to integrate within various stages of their CI/CD process. Commonly used AST tools include

Static application security testing (SAST).

  • SAST tools scan proprietary or custom code for coding errors and design flaws that could lead to exploitable weaknesses. SAST tools, such as Coverity®, are used primarily during the code, build, and development phases of the SDLC.

Software composition analysis (SCA).

  • SCA tools such as Black Duck® scan source code and binaries to identify known vulnerabilities in open source and third-party components. They also provide insight into security and license risks to accelerate prioritization and remediation efforts. In addition, they can be integrated seamlessly into a CI/CD process to continuously detect new open source vulnerabilities, from build integration to preproduction release.

Interactive application security testing (IAST).

  • IAST tools work in the background during manual or automated functional tests to analyze web application runtime behavior. For example, the Seeker® IAST tool uses instrumentation to observe application request/response interactions, behavior, and dataflow. It detects runtime vulnerabilities and automatically replays and tests the findings, providing detailed insights to developers down to the line of code where they occur. This enables developers to focus their time and effort on critical vulnerabilities.

Dynamic application security testing (DAST).

  • DAST is an automated opaque box testing technology that mimics how a hacker would interact with your web application or API. It tests applications over a network connection and by examining the client-side rendering of the application, much like a pen tester would. DAST tools do not require access to source code or customization; they interact with your website and find vulnerabilities with a low rate of false positives. For example, Synopsys Web Scanner and Synopsys API Scanner DAST tools identify vulnerabilities on web applications and APIs, including web-connected devices such as mobile back-end servers, IoT devices, and RESTful or GraphQL APIs.

How are AST tools integrated in DevSecOps?

Although AST tools are useful for identifying vulnerabilities, they can also add complexity and slow down software delivery cycles. Sorting through an overwhelming number of findings from siloed tools without the means to understand what needs to be done to prioritize them or when it is necessary to test can cause significant friction for security and development teams.

Optimizing testing tools and deriving meaningful insight from their data requires an application security orchestration and correlation (ASOC) solution. ASOC tools combine the capabilities of application security testing orchestration (ASTO) and application vulnerability correlation (AVC) tools to provide a management framework for AppSec tools, workflows, and prioritization of security activities. An effective ASOC tool is key to DevSecOps because it enables security and development teams to orchestrate testing intelligently, consolidate data from all AST tools, deduplicate any redundant results, correlate this data based on threat intelligence, and contextualize software risk to prioritize critical findings.

Together, Synopsys Intelligent Orchestration and Code Dx® provide an ASOC solution that integrates within the SDLC to mitigate software risk and build security into DevOps. Intelligent Orchestration enables organizations to determine the most impactful security activities by assessing the criticality of applications, defining application security policies as code, and using that policy to evaluate code changes and other SDLC events to trigger appropriate testing. It is an ASTO solution that, when combined with an AVC solution like Code Dx , provides a holistic ASOC approach. Code Dx integrates across 100+ developer and AST tools to consume, normalize, and correlate application security data, prioritize key findings, coordinate remediation workflows, and provide visibility to stakeholders across development and security. Importantly, Intelligent Orchestration and Code Dx support bidirectional integrations with a variety of ticketing systems to enable continuous feedback loops and communicate defects or security activities with developers directly. This provides a necessary foundation for organizations to bridge process gaps, facilitate collaboration between stakeholders across security and development, and fully migrate to DevSecOps. 

Learn more about Synopsys solutions for DevSecOps and how we can help.


Continue reading

Solution
DevSecOps

Build secure software at the speed of DevOps​

Blog
Top 10 DevSecOps Best Practices for Building Secure Software
Tool
Intelligent Orchestration

Perform the right tests at the right time​

Blog
How to Build a DevSecOps Pipeline
Report
2022 Gartner® Magic Quadrant™ for Application Security Testing
eBook
Introducing Security Champions to the DevSecOps Lifecylce