Security

What Is DevSecOps, and How Can It Improve Your Security?

Combining security, development and operations into a single discipline could help your business catch potential security risks before they get out of hand.

Ernie Smith

Ernie Smith is a former contributor to BizTech, an old-school blogger who specializes in side projects, and a tech history nut who researches vintage operating systems for fun.

It can sometimes feel like security threatens new initiatives before they can get off the ground.

But what if security was baked into your culture and your development process? That’s the idea behind DevSecOps, an extension of the DevOps approach to software development that could help tackle security issues holistically, rather than tacking them on after the fact.

Here’s how your organization could benefit from DevSecOps, and what challenges it might run into along the way.

What Is DevSecOps?

DevSecOps is a discipline that integrates security practices into a DevOps approach — that is, development, security and operations combined in one continuous process.

Essentially, this means that, along with the continuous delivery and integration processes that drive DevOps, a quality-driven security approach is included throughout.

While DevOps has matured into a modern practice over the past two decades, DevSecOps is a more recent evolution that reflects up-to-date practices in security management, with a focus on fast response and continuous testing.

A common term used to describe DevSecOps is “shifting left” — the idea that quality assurance and security testing needs to happen earlier within the process. The term refers to the “waterfall” style of software development, which is generally portrayed as many elements shifting to the right in visualizations.

And, of course, there are a lot of good reasons for building a program with security near the start of the process. After all, it’s much harder to clean up from an insider threat than to prevent it in the first place.

What Are the Benefits of DevSecOps?

The advantages of DevSecOps are best reflected in what the discipline can help businesses avoid in the software development process.

In a 2015 blog post, Donald Firesmith, a researcher at Carnegie Mellon’s Software Engineering Institute, noted the risks that could emerge when testing security with a traditional waterfall-style development process, in which different elements are handled separately. With this approach, testers are often involved later in the process, which leads to challenges with debugging software that’s closer to completion, and less time to fix defects, making it more likely that end users will find those bugs instead of in-house developers.

“For decades, it has been well known that defects are more difficult and expensive to fix the later they are found in the lifecycle,” Firesmith wrote. “This phenomena is one reason why treating testing as a sequential phase at the end of waterfall development has long been viewed as a major pitfall of system and software testing.”

By building a process in which testing is conducted throughout, security can be hardened into the process. According to Google Cloud Solutions Architect Drew Stevens and Enterprise Modernization Architect Mike Ensor, the biggest benefit of DevSecOps is that it encourages the implementation of secure practices throughout the implementation process:

“Introducing security evaluation and practices earlier in the development cycle improves software quality and system health, and avoids expensive security fixes that can result if vulnerabilities are found later in the cycle. The core benefit of shifting left is to fail fast and remove security and quality defects as soon as they arise.”

DevSecOps vs. DevOps: What’s the Difference?

DevSecOps and DevOps are closely related, with the continuous integration/continuous delivery (CI/CD) pipeline tightly tied to both processes, but they diverge in significant ways with the addition of security.

Stevens and Ensor note that the shift-left approach has equivalents elsewhere in the DevOps cycle, but it carries special significance in a security context: “DevOps methodologies encourage development, quality and operations teams to collaborate on testing code and deployment mechanisms as early in the cycle as possible. DevSecOps applies the same principle of shifting left by incorporating security testing and vulnerability detection into the development lifecycle rather than waiting to audit after development and testing have concluded.”

There are other benefits to this additional velocity from a security standpoint. As noted in the IBM Cloud Learn Hub, the rapid pace at which security vulnerabilities are often exposed means that the additional speed of a DevSecOps approach comes in handy in terms of patching and testing for these issues: “As DevSecOps integrates vulnerability scanning and patching into the release cycle, the ability to identify and patch common vulnerabilities and exposures (CVE) is diminished. This limits the window a threat actor has to take advantage of vulnerabilities in public-facing production systems.”

What Is Red Teaming vs. Blue Teaming in Cybersecurity?

Blue team security is an approach that takes a more defensive stance on security concerns. For a good analogy, consider the sport of football, in which a defensive team takes steps to build strategies to prevent an offensive line from breaking through and scoring a touchdown.

The red team represents the offense. Of course, if a real-life red team makes it through to the goal, the costs are far more significant than simply getting a few points on the board. As a result, testing and fortification are important from an information security standpoint.

While each approach has its place, a 2019 study conducted during the Black Hat USA security conference found that 68 percent of respondents felt that red team exercises were more effective than blue team exercises.

Nonetheless, there is usually room for both approaches in an organization. These are often referred to jointly as “purple team” exercises. According to the Black Hat study, more than 60 percent of respondents say the blue team catches the red team occasionally or often.

WATCH: See how intrinsic security could be key to defending environments in the future of work.

How to Implement a DevSecOps Model

The good news about DevSecOps is that it has potential for improving security in the long term. The bad news is that it carries a reputation of being difficult to implement. Just like DevOps, DevSecOps comes with significant cultural considerations that must be worked out as the process is being built, which will require a consistent, repeatable approach that the organization can use to manage security concerns operationally.

Google Cloud’s Ensor and Stevens, who recently wrote a white paper on shifting left as it relates to security, noted that the general concept of software security pipelines involves a number of basic factors, including building a strong chain of trust through a consistent software supply chain; continual code assessments; and a strong, automation-driven process.

“In CI/CD pipelines, best practices indicate that security should be implemented using fail-fast policies,” they explained. “For example, you can configure your policies to identify and stop a build for any discovered vulnerabilities, exposures or violations before the artifact can be deployed.”

Building out an effective program that can properly manage these concerns — perhaps with the help of a partner like CDW Amplified™ Services — you can stay ahead of security issues, rather than simply reacting to them.

alexsl/Getty Images