An overview of DevSecOps
1. An overview of DevSecOps
Imagine a situation where you spend months on a cloud security team creating an app. The team finishes developing the code and sends the app to the operations team, who release it soon after. The app is well-received by its users, who highly rate its security features. This situation might appear too good to be true. But, with the introduction of DevSecOps, this scenario can be a reality. DevSecOps is a culture that consists of guidelines, best practices, and tools that development, operation, and security teams use to collaborate. DevSecOps has become an integral part of the software development lifecycle. The software development lifecycle is a process for developing, testing, and monitoring software. Security was not always a key component in the framework. DevSecOps actually began as just DevOps, but security was added as a component because of several problems in the original framework. To understand how the addition of security helps to resolve problems, you'll need to know the history of the framework and its impact in the tech workspace. The term DevOps consists of two terms: Dev, which refers to the development team, and ops, which refers to the operations team. Prior to the popularization of this framework, each team was a separate entity. The dev team built the given application or software. And the ops team managed the infrastructure, deployed the finished product, and monitored the release. The DevOps team would perform security checks as the final step before deployment, leaving security as an afterthought instead of an integral part of the development process. This separate workflow caused several problems. Many teams reported to different leadership, resulting in members of those teams receiving varying direction and priorities. This separation resulted in separate, and even competing objectives. Additionally, these teams usually worked in isolation, with little interaction between them. The combination of conflicting priorities and sparse communication resulted in software releases that contained a lot of issues. Across the industry, people working on different teams became frustrated with the disconnected workflow. In the early 2000s, professionals from both sides took to online forums and even met in person to resolve the issues in the industry. This collaboration helped to create and bring unity to the DevOps framework. Today, communication, collaboration, and shared responsibilities are the core of DevOps culture. Across teams, every person is accountable for their contributions in the development process. Fast feedback is a cornerstone of improved communication. Receiving timely feedback allows developers to implement revisions and quickly roll out updates to users. Improved collaboration means the ops team is more involved throughout the development process, enabling them to advocate for the end user’s needs earlier in the cycle. Likewise, the dev team monitors the product through its release, instead of merely passing it off to ops and moving on to the next project. This infinity loop is commonly used to illustrate the collaboration between development and operations. There is no end to the loop. The software is continuously monitored, tested, and released. While the improved collaboration within DevOps solved several of the issues that appeared throughout the development lifecycle, there was still one important gap: security. Going back to my earlier explanation, historically, the DevOps team would perform security checks at the last software development lifecycle stage. When working with security in the DevOps framework, security checks became very frequent, with every update and release. But, with saving security as a final check, the process slowed down causing bottlenecks. DevOps practitioners realized they needed a solution to make security more of a streamlined process. DevSecOps emerged as the solution, where development, operations, and security teams collaborate at the very beginning and throughout the development process. With DevSecOps, security teams implement automated security tests from the start of the project, which means the operations team releases applications even faster. DevSecOps culture also reinforces the security concept of shifting left. To shift left means security checks and practices are implemented at the beginning and throughout each phase of the software development lifecycle. Using the same infinity loop illustration, you’ll notice that the addition of security to dev and ops strengthens the entire cycle. Shifting left with security involves a variety of shifting left practices that might include code analysis, change and compliance management, threat modeling, and security training. Additionally, automated security testing is conducted throughout the software development lifecycle to monitor for threats and vulnerabilities. With your current understanding of DevSecOps, you now know one of the common workflows of software development. Additionally, you can apply a security mindset to improve the process among development, operations, and security teams. Now you know how to use the framework to build an app with your cloud security team and reel in those high user ratings.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.