The DevOps approach has helped to make development processes faster and more efficient for years now. However, with DevOps, cyber security was often an afterthought – enter DevSecOps, an approach that helps to bring security into the development process from the very first moment.
“Before moving to the DevOps model, developers were often secluded in one room, the business side in another room, and the system administrators, who had to keep the system running for years, were in a third,” said Jack Malinowski, CTO of Uptime Development. “DevOps brought those roles together, seated at the same table, opening the doors to agile development, constant testing, and a significantly more effective process.”
“While the process was improved, security issues were often left out of the daily agenda and were handled during testing or when a development phase was complete and ready to be shared with the customer. The DevSecOps approach helps to change this – it’s a methodology, but also a way of thinking and developing,” said Malinowski.
DevSecOps in the technical view
Malinowski explained that in the technical view, DevSecOps entails a lot more automation than the regular development processes. Because of that, people use tools and software that can find potential security vulnerabilities even in the first stages of development.
“Constant testing is a part of agile development. However, new approaches add additional testing and specific tools to the processes to ensure security. Those additions aim to bring to light any security vulnerabilities as early as possible. For example, there are tools that can read code to find common vulnerabilities, in order to prevent further development adding to an already faulty setup,” said Malinowski.
In addition to that, DevSecOops highlights the importance of code reviews. “Code review is one of the best ways of finding potential issues. Instead of giving the whole repository to a tester to read through at the end of the development cycle, putting additional focus on security vulnerabilities within the code review process, issues will be found faster with greater results,” he said.
This does not mean that security vulnerabilities are not found in the regular DevOps development model. It is rather a change in the way of thinking.
DevSecOps as a way of thinking
Malinowski explained that security vulnerabilities can be found in every stage of the development process, with every development model, and methodology. DevSecOps just brings security to the forefront and puts it on the initial list that is thought about.
“With DevSecOps, finding security vulnerabilities starts with preliminary analysis. Analysts, project managers, architects, designers, developers, and anyone else that is involved, all think about potential security risks at every point. They assess, if and how their choices could affect the final product,” he said. “This means that in a perfect world, all security vulnerabilities have already been thought about and the issues have been solved even before coding starts. If that is not possible, then at least developers know from the start which risks they need to keep in mind and mitigate.”
“In a DevSecOps environment, it is important that people working in it really care about security. Therefore, all parties involved must be up-to-date with the ongoings of the cyber security world. They need to know the risks, which errors others have made, and where the risks or danger comes from,” said Malinowski. “In addition, from the company’s perspective, it is very important that their employees have access to the best available tools, the most up-to-date approaches, and that they have the infrastructure in place that helps to deploy a security-first approach.”
Unavoidable in the modern world
Cyber security has gotten more and more attention in recent years. It has become clear to everyone that this is not an area where you could cut costs. This does not mean, however, that paying more attention to security adds a noticeable cost to any development.
“It’s clear that any additional hour working on something means an hour not doing something else, or an extra item on an invoice. If you look at the bigger picture though, you will find that as with the agile development approach as a whole, DevSecOps helps to make the entire development process more efficient,” said Malinowski.
He pointed out that the motto of DevSecOps is “Software, Safer, Sooner”, which helps to explain the effectiveness of the approach quite well.
“As security is considered throughout the development process, the risk of finding a critical security vulnerability in the final stretch of the process is minimal. This also means that it almost rules out situations where major changes are needed at the final stages of development to mitigate some security vulnerability,” said Malinowski.
“In a perfect world, no security flaws would end up in the final product even with the regular DevOps approach, but in the end, the human factor always comes into play. DevSecOps tries to minimize the risk. In short, that means that the customer gets a more secure product that will help to keep down the development time in the long run,” he added.