Over a million developers have joined DZone.

The Transformation From Waterfall to DevOps to DevSecOps and Continuous Security

DZone 's Guide to

The Transformation From Waterfall to DevOps to DevSecOps and Continuous Security

Learn how Waterfall became Agile, and how culture shifts and the need for security lead to DevOps and DevSecOps.

· DevOps Zone ·
Free Resource

In 1956, software development began with the Waterfall model, where the process was pre-planned, set in stone, with a phase every step of the way. Everything was predictably…slow.

Organizations involved in developing web applications were siloed with their own priorities and processes. A common scenario involved development teams with their own timelines, but quality assurance teams had to test another application, and operations didn’t have enough heads ups to build out the infrastructure needed. Not to mention, security felt that they weren’t taken seriously at all. Fixing a bug created very early in the application lifecycle was painful as testing was designated for much later in the process. Often times, the end product didn’t address the business’s needs because of requirement changes or the need for the product itself had come and gone.

The 2001 Agile Manifesto

Finally, after around forty-five years of this inadequacy, the Agile manifesto emerged. This transformative model was a proponent of adaptive planning, evolutionary development, early delivery, continuous improvement, and encouraged rapid and flexible response to change. Agile adoption increased speeding software development processes by embracing smaller release cycles and cross-functional teams. This resulted in stakeholders having the ability to navigate and course correct projects much earlier in the cycle. Applications began go to market on time, which translated to addressing immediate business needs.

The DevOps Culture Shift

With the increased agility from development and testing teams, operations teams were now the bottleneck. The remedy to this common hold up was to bring agile processes to operations and infrastructure, resulting in DevOps. The DevOps customer brought together all stakeholders and participants involved in faster builds and deployments. Operations teams began building automated infrastructure, enabling developers to move significantly faster. DevOps eventually led to Continuous Integration/Continuous Delivery (CI/CD), rooting the application development process in an automated toolchain. To convey this movement, organizations advanced from deploying a production application once annually to deploying production changes hundreds of times a day.

Security as an Afterthought for DevOps

Even though many processes had been automated with DevOps, some key function such as security had been largely ignored. A substantial piece that is not automated, but is increasingly critical to an organization’s very survival, is security. Security is undoubtedly one of the most challenging parts of application development. Standard testing does not always catch software vulnerabilities, and often times security professionals have to wake up at two or three AM to fix that critical SQL injection vulnerability. Security is often perceived as being behind the times – and more commonly blamed for stalling the pace of development. Teams feel that security is a barrier to continuous deployment because of the manual testing and configuration halting automated deployments.

As the Puppet State of DevOps report aptly states: "All too often, we tack on security testing at the end of the delivery process. This typically means we discover significant problems, that are very expensive and painful to fix once development is complete, which could have been avoided altogether if security experts had worked with delivery teams throughout the delivery process.”

The Debut of DevSecOps

The next addition to this evolution of DevOps was incorporating security into the process – with DevSecOps. DevSecOps essentially brings security into the CI/CS process, removing manual testing and configuration and enabling continuous deployments. As organizations move toward DevSecOps, there are substantial modifications they are encouraged to implement to be successful. Instilling security into DevOps demands cultural and technological changes. Security teams need to be included in the development lifecycle from the very start. Security stakeholders should be included from planning to involvement with each step. With security working closely with development, testing and quality assurance teams, they have the ability to discover and address security risks, software vulnerabilities and mitigate them. Culturally, security should become accustomed to rapid changes and adoption of new methods to enable continuous deployment. There must be a happy balance to result in rapid and security application deployments.

The Key Is Security Automation

Removing manual testing and configuration is a critical measure moving toward DevSecOps. Security should ideally be automated and driven by testing. Security teams should have automated testing and integrate them into the overall CI/CD chain. However, based on each individual application, it is not uncommon for some testing to be manual. The overall portion can and should be automated, especially tests that ensure application satisfy certain defined baseline security needs. Security should be a priority from development to pre-production and should be automated, repeatable and consistent. When done correctly, responding to security vulnerabilities becomes much more trivial each step of the way which inherently reduces the time taken to fix and mitigate flaws.

Continuous Security After Deployment

Continuous security should not stop once applications are deployed. Continuous monitoring and incident response processes should be incorporated as well. The automation of monitoring and the ability to rapidly respond to events is fundamental toward achieving DevSecOps. Security is absolutely more important today that it has ever been before. History has revealed that any security breach or event can be extremely damaging to both customers, end users and organizations themselves. With more services going online and hosted in the cloud or elsewhere, the threat landscape is growing at an exponential rate. The more software developed and released inherently creates more security flaws and more attack surface. Introducing security testing and configuration into the daily workflow and ensuring vulnerabilities are fixed far ahead of production is critical to the success of any product and business today.

devops ,automation ,security ,devsecops ,continuous monitoring ,agile ,waterfall

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}