An Introduction to DevSecOps
Shifting security left is a big deal in the software industry right now. Read on to get an introduction to DevSecOps, and how it helps automate a lot of this shift.
Join the DZone community and get the full member experience.Join For Free
In today’s world, the way changes are occurring, everyone would like to Agile practices and delivery models. And with the introduction of DevOps, the industry is catching up with the need for secure environments that help developers create automated security testing/assessment solutions.
We can never forget security and need to include it as part of the Agile development cycle to help developers and to avoid shipping the solutions with critical vulnerabilities. To extend and add security testing/assessment support, DevSecOps (Dev+Sec+Ops) helps by extending the existing DevOps framework by adding in security tools to the CI process. This helps developers to uncover security specific issues in the code by executing the various security tests in an automated environment.
Challenges (Without DevSecOps)
With the fast pace of development in the Agile world, there is a lack of focus on security during the development process.
The quality of the solution is often compromised from a security standpoint while focusing on feature deliverables during the Agile development lifecycle.
Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s).
Customer sensitive data is compromised due to lack of security testing focus.
A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown vulnerabilities.
In order to minimize the risk from a security standpoint, putting an automated security solution in place, which is integrated into our CI system (for example, Jenkins), can help uncover security-related issues earlier in the development cycle. This helps reduce the risk of critical vulnerabilities being shipped in our software.
A few well-known mobile/desktop security tools are listed below, as an example of SAST/DAST solutions.
- FindSecurityBugs (FindBugs Plugin)
- Dependency Checker
- HP Fortify
It is very important to include security in the Agile development lifecycle. With DevSecOps, developers can better understand the criticality of vulnerabilities that exist in their code and fix these vulnerabilities while still delivering fast, but more secure, product(s)/solution(s).
Opinions expressed by DZone contributors are their own.