Section 1
What Is DevSecOps?
DevSecOps is an approach to IT security based on the principles of DevOps. The exact formulation is still emerging, but we think it’s useful to capture emerging practices for achieving security while building applications and APIs without disrupting high speed software pipelines.
- DevSecOps Is Full Stack: DevSecOps spans the entire IT stack, and includes network, host, container, server, cloud, mobile, and application security. Increasingly, all of these layers are turning into software, which makes application security a critical focus for DevSecOps.
- DevSecOps Is Full SLC: DevSecOps also spans the full software lifecycle, including development and operations. In development, the focus is on identifying and preventing vulnerabilities, while in operations, monitoring and defending applications are the goals.
Can you apply DevSecOps practices and tools to non-DevOps projects? Absolutely. The ideas in this document are applicable to almost any software project. If your goal is to produce highly secure software in the most cost-effective way possible, then DevSecOps is the path forward.
Gartner has named DevSecOps one of their fastest-growing areas of interest and predicts that DevSecOps will be embedded into 80 percent of rapid development teams by 2021. Organizations practicing DevSecOps have shown impressive results. These early adopters are 2.6x more likely to have security testing keep up with frequent application updates and show a 2x reduction in time to fix vulnerabilities.1
Understanding the different types of security work and their value to your organization is critical to successful DevSecOps initiatives. Until you truly understand the work, it’s going to be difficult to deliver it effectively. You can learn more about this topic and DevOps in general by reading books like The Phoenix Project and The DevOps Handbook.
This is a preview of the Introduction to DevSecOps Refcard. To read the entire Refcard, please download the PDF from the link above.
Section 2
Key DevSecOps Themes
Every DevSecOps program is a little bit different. It’s best to view DevSecOps as a journey. As you progress, you may find that different teams are at different points along the path. The themes below aren’t specific activities. Instead, they are guideposts that you can use to help make decisions along your journey.
Empowering Engineering Teams |
Development and operations are empowered to deliver secure applications into production themselves. Security experts provide support as coaches and toolsmiths, but do not have primary responsibility for security. Make sure that tools and processes are designed for developers and operations, not security experts. This would share the expertise between all members of a team. |
Making Security Visible |
In many organizations, security work is hidden, unknown, and untracked. In the end, the value of security is often not easy to understand. In DevSecOps, we make small security tasks that can be tracked, tasked, and measured like any other type of work. Additionally, security becomes part of day-to-day responsibilities, allowing security to be transparent to everyone. |
Shift Left |
From developers to DevOps engineers, everyone is involved in security. Shifting security “left” means that security activities start during development and extend throughout the SDLC, with continuous feedback at every stage from development to production. |
Security as Code |
Like Continuous Integration and Continuous Deployment, continuous security means that you respond to continuous threats with security activities that are performed continuously, as part of the development and operations process, and integrated into the tools team members are already using. Security as code is the key to automating security operations, which leads to an end-to-end process for security practices. |
Continuous Security |
To address continuous threats, security activities are performed continuously as part of the development and operations process and integrated into the tools team members are already using. |
Continuous Monitoring |
When development is complete, monitoring begins; we need to constantly track the behavior of our applications to detect anomalies and possible attacks. This gives insight into the security of the application and provides feedback for the development team. |
Prevent and Protect |
We will never produce perfect code. Nor will we ever detect or stop all attackers. Therefore, the best security strategies involve a balance of secure coding during development (DevSec) and runtime protection during operations (SecOps). |
This is a preview of the Introduction to DevSecOps Refcard. To read the entire Refcard, please download the PDF from the link above.
Section 3
Getting Started With DevSecOps
Traditionally, security has been performed as a series of massive tasks spanning all risks. For example, writing comprehensive security requirements, designing a comprehensive security architecture, performing a comprehensive security test, etc. But agility requires a risk-based approach. To accomplish security work in a DevOps organization, we can prioritize our security tasks and break them into small pieces for implementation.
In this diagram, we show how security fits into the normal DevOps development cycle at a very high level. Notice that these security augmentations are designed to fit naturally into the process. No extra steps, no gates, no delays. Instead, we will cycle quickly on small security tasks that are structured to be delivered by the development and operations teams using the tools they already use. We will explore these core practices in detail later.
This is a preview of the Introduction to DevSecOps Refcard. To read the entire Refcard, please download the PDF from the link above.
Section 4
DevSecOps Core Practices
DevSecOps takes a very agile approach to security, breaking down massive security tasks into incremental improvements that are performed as normal development tasks. These small batches of work include continuous verification so that security builds over time instead of repeatedly starting over from scratch.
DevSecOps brings a culture of “security for everyone” to teams. Everyone has a significant role to play in security at their organization. Security specialists are critical in this by mentoring, advising, and leading teams to ensure quality and security.
Once we’ve identified the next security challenge, our normal engineering process can execute on the improvement. In this section, we explore four core practices to any DevSecOps initiative. Of course, your DevSecOps process might be considerably more complex. See the next section for more ideas or add your own practices to this basic cycle.
This is a preview of the Introduction to DevSecOps Refcard. To read the entire Refcard, please download the PDF from the link above.
Section 5
DevSecOps Additional Practices
There are additional sets of security challenges that emerge when an enterprise has hundreds or thousands of applications in its portfolio. Doing security at this scale is far beyond what a small dedicated security team can accomplish. DevSecOps is a technique for distributing this work effectively across development and operations.
It’s worth noting that in most organizations, only a small percentage of projects are very far along in their DevOps journey. So, managing the transition to DevSecOps across an entire application portfolio is a key part of the challenge.
This is a preview of the Introduction to DevSecOps Refcard. To read the entire Refcard, please download the PDF from the link above.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}