Application security, DevSecOps

DevSecOps: What it is, and how to approach implementation

Cyber security concept. Isometric vector of a team working designing new software to protect personal data
The ultimate goal is to evolve the standard so software development bolsters rather than undermines the security posture of an organization.

At its core, DevSecOps — or development, security, and operations — is a methodology for improving upon legacy software development strategies by integrating security protocols throughout the process. The ultimate goal is to evolve the standard so software development bolsters rather than undermines the security posture of an organization.

Here we detail why DevSecOps emerged as a philosophy, and how organizations can implement a framework to incorporate DevSecOps into their own IT processes.

DevSecOps shifts security left

Traditional software development approaches often suffer from ‘putting the cart before the horse.’

In past approaches, developers would introduce new code in the delivery pipeline for testing. Then, a new version is developed and deployed into a test environment for further testing. Finally, a penultimate version of the code is given the greenlight for production. 

The problem? Security might flag thousands of vulnerabilities for devs to fix, and depending on the app’s complexity, these can take days or even weeks to resolve. At the same time, software updates are still being pushed forth, creating a security audit backlog that delays release even further. 

This is where DevSecOps comes in. 

Instead of delegating security to the responsibility of a few individuals, DevSecOps is a new approach to software development that places security on the shoulders of the entire organization. Moreover, DevSecOps shifts security left in how it grants developers the tools to automate security tests much earlier in the development pipeline, as opposed to later when the code is approved for production. What this enables is an environment of collaboration and continuous feedback between developers and users that streamlines vulnerability resolution and reduces manual effort.    

This is important as developers increasingly contend with a larger attack surface and multitude of threats. Recent years have seen a shift away from monolithic applications and toward containers and microservice architectures which, while easier to independently deploy and scale, can produce more vulnerabilities as a result of distributed dependencies between sets of managed services. Without automated security tools to run tests across each service, it would be impossible to discover and resolve every vulnerability that crops up. This is one reason DevSecOps is uniquely suited to address an organization’s security needs at scale. 

There are other benefits to DevSecOps as well. Embedding automated security checks across the pipeline doesn't mean slower code production and releases. If anything, it speeds up production by automating tests for validation, compliance and service configuration management. And by automating these tests, a DevSecOps organization can actually address the root causes of their vulnerabilities to stop them from recurring in future releases – a feat that is extremely difficult to replicate through manual efforts alone. Moreover, the DevSecOps emphasis on integration means that developers, operations, and security can work collectively to scan and root out vulnerabilities, rather than tackling these problems as siloed units.

In a nutshell, potential benefits of DevSecOps include:

  1. Faster code production and releases, Less security audit backlogs
  2. Helps identify root causes of vulnerabilities to prevent recurrence
  3. Eliminates silos and stovepiped problem solving

Instituting a DevSecOps culture

Organizations looking to kickstart DevSecOps practices in their workforce need to know that it takes time and trust to deliver this kind of change. But there are a few steps that can be taken to get the wheels moving.

  1. Change the culture: DevSecOps success hinges on how well an organization can instill security as a responsibility for the whole workforce, not just a few dedicated professionals. Organizations might start this process by creating small joint teams of developers and security personnel, and tasking them with achieving a common goal. Strong buy-in from leaders at the C-suite level, as well as educating security and devs to collaborate using a common terminology, are additional ways to bridge the divide. 
  2. Find ways to insert automation: Automation is central to DevSecOps. There are many automated tools available on the market, but some of the most effective offerings use a combination of automated scanners to integrate security continuously across dynamic web assets and microservices. Interactive application scanning, dynamic application scanning, and static application scanning tools can be leveraged together to ensure no blind spot remains hidden from detection. 
  3. Extend visibility of the threat environment to all key actors: DevSecOps requires that all key actors (Devs, Security, Operations) are working from the same page and source of truth. Automated tools can expand visibility of the threat environment and improve discovery and tracking of vulnerable web assets, but it’s up to organizations to ensure this intelligence reaches relevant personnel in the first place. By giving developers automated tools to receive instant feedback and insight into correcting vulnerabilities, security folks no longer have to shoulder sole ‘gatekeeping’ responsibility at the end of a software development lifecycle. Instead, they can get precious time back to focus on proactive solutions and operations – such as threat hunting, for example.     
Organizations have a variety of automated scanning tools they can use to implement DevSecOps, with each providing a different array of functions. (Invicti.com)

It may be tempting to see DevSecOps as the latest instance of buzzy ‘software-speak’ that’s inundating the market today, but its core principles of embedding security throughout the development lifecycle continue to gain traction among cybersecurity professionals. 

As software moves away from monolith applications to microservices with increasingly networked dependencies, the attack surface has expanded to the point that traditional post-hoc security is no longer enough. DevSecOps gives organizations a powerful tool to layer security every step of the way without compromising on the agility and flexibility demanded by modern development cycles. 

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.