DevSecOps: The Principles to Apply to Improve Your Security System

What Is DevSecOps?

The DevOps method eliminated the ops bottleneck in the delivery circuit, enabling faster deployment to production. It also improved the operations feedback loop, giving developers more control over their production code. However, faster delivery can also mean the faster deployment of security vulnerabilities.

This forces the organization to rethink its security policies, responding to the need for constant monitoring of security vulnerabilities while preventing this monitoring from becoming a bottleneck.

DevSecOps is an extension of the DevOps approach, which considers security a shared responsibility that must be integrated into the development process from the start.

It can be seen simply as "DevOps done right": the collaborative working model of DevOps aims to create a culture that brings developers and ops together to break down silos. In addition, DevSecOps adds the security team to the discussion to enable fast, efficient, and secure software delivery.

In essence, DevSecOps aims to:

• Foster collaboration between DevOps and security teams.
• Implement a principle of Security as a Code and integrate security concerns into the software development process.

How to Adopt a DevSecOps Approach?

To adopt a DevSecOps approach, you will need to focus on three axes: people, process, and technology.

1. People

No investment in training and tools will allow your organization to move to a DevSecOps approach if the people at the heart of this collaboration are not interested.

The first step is to designate a volunteer "security champion" in each team. This person is a developer who is interested in strengthening the company's security posture but does not necessarily have a background in it.

He will be the referent for the security choices in the team, in charge of raising the questions related to security during the definition of the backlog. In addition, he will answer the questions of the team in terms of security.

The second step is to create a network of security champions within the organization. The aim is thus to share their knowledge and answer questions from others, for example, in the form of a security guild. In large organizations (more than ten teams), security advocate roles can emerge from security champions to add a layer of coordination and expertise.

Security issues will then move up Andon's chain from the team to the security champions/advisors and finally to the security team if necessary. This system ensures that each layer learns as much as possible about the problems encountered. This allows for continuous improvement (kaizen), increasing awareness of security issues, and reducing the time it takes to resolve them.

2. Process

The results driven by the DevSecOps approach are made possible by modifying existing processes to enable collaboration between DevOps and security teams.

In particular, the measures that will have the most impact on your organization are:

• Collaborative work sessions with DevOps and security teams on enterprise vulnerability patterns.
• Regular auditing of automated tests by security experts.
• The inclusion of security features in the software delivery backlog: 
  • Include a feature security assessment in the "definition of ready" (list of prerequisites for a task).
  • Include a green light given by the automatic security test tools in the "definition of done" (list of validation criteria for a task).

More generally, developing the DevSecOps process is an iterative effort. It starts with the experimentation of a collaborative process between the two teams at a given stage of software delivery. It is followed by the supervision of the agreed process resulting from this experimentation and, finally, by a safety audit of the established standard process.

This process can then be applied by a variety of teams in a variety of contexts and refined according to the principles of agile methodology. In addition, using a standard process reduces the risk of introducing security vulnerabilities into the methodology.

3. Technology

Adopting a DevSecOps approach involves adding a variety of security solutions and best practices to the DevOps toolkit.

First, you want to automate security at all stages of software delivery. To do this, you need to add security tools to your CI/CD pipeline, such as:

• Automated security testing
• Linters
• DAST/IAST/SAST sequences
• Vulnerability checks
• Logging and monitoring tools

Next, you want to build security by design into your governance. To do this, you must implement standards and best practices, such as:

• OWASP standards
• Secure Coding Practices
• Enabling TLS (Transport Layer Security) encryption by default 
• Force API authentication for all clients (including nodes and proxies...)

What Benefits Can My Organization Expect?

First, adopting a DevSecOps approach improves the overall security of your product. This results in an increase in the quality and robustness of the latter.

Moving vulnerability controls to the margins then allows your organization to discover and fix them at an early stage. This results in less stressful and less complex corrections and a reduction in the costs incurred.

Finally, integrating security into the delivery process also strengthens your security posture and allows more frequent deployments with fewer manual operations: 61% of organizations with a mature DevSecOps culture say they are able to deploy on-demand, compared to 46% (see Puppet's 2019 State of DevOps report ) on average. By removing the security bottleneck, adopting a DevSecOps approach accelerates your product delivery and security and compliance-related transformations.

Conclusion

DevSecOps is a culture that sees collaboration between development, operations, and security teams as the foundation for efficient and robust product delivery.

Its implementation requires a change in culture, technology, and process. But it represents a step towards greater collaboration between project stakeholders and the use of automation to ensure that security practices are built into the product by default.

Along with better security for the product itself, a DevSecOps approach also allows for better cooperation, faster product delivery, and increased confidence in the overall security posture.