WavebreakmediaMicro - Fotolia
As its name suggests, DevSecOps is DevOps with security mixed right in. DevSecOps views "security as code," and is a process by which security concerns are considered from the start instead of applied after the fact. It pulls in the information security team along with IT operations to work with the application development team. With all three teams collaborating, it’s easier to integrate security controls into the deployment pipeline, which can reduce delays and the issues that result when an enterprise treats security as a separate and disparate element, siloed from the development process. And with the automation that cloud computing provides, companies can grow more efficient with fewer delays and downtime caused by security flaws.
As with DevOps, DevSecOps requires a shift in company culture in order for it to really work. If a company is already considering adopting a DevOps approach that requires a change in culture along with a shift in team structure and tools, it would do well to consider taking the extra step of folding the information security team into the mix and implementing DevSecOps. Why leave security out of it when DevOps requires the same organizational shift as DevSecOps?
In his paper, "The DevSecOps Approach to Securing Your Code and Your Cloud," Dave Shackleford, owner of Voodoo Security, states that implementing DevSecOps requires "planning in the form of threat models and risk assessments." Threat-model exercises can help security teams identify a likely threat vector along with how a company’s cloud assets will be protected. Risk assessments then help security teams figure out which security controls are currently being used and which need to be changed or replaced to protect a company’s cloud assets. "It is almost a guarantee that some security controls won’t operate the way they did in-house or won’t be available in a cloud service provider’s environment," writes Shackleford. So it’s important to have security specialists on site to head off any issues that might arise down the road.
Threat models and risk assessments are needed in a continual development cycle that includes security concerns. The traditional staging area is often lost in the journey to DevOps, so these planning and review exercises must take place alongside the production environment.
Baking security into DevOps may sound like an extra step that will slow the pace of development -- just another cook in the kitchen -- but if implemented effectively with the correct controls, DevSecOps can result in greater efficiency and better, more secure products at the end of the production line. After all, what’s the point in adopting a DevOps approach that spits out software with security flaws? With DevSecOps, software development can become truly continuous, where stakeholders from the development, operations, and security teams vet results.