Secure DevOps: What's in it for dev, sec and ops?

The growing demand for faster software delivery using the strategies of agile and DevOps, with technologies such as containers and the public cloud, has caused a rift between software production teams and security teams. Organizations are realizing that putting security reviews at the end of a production cycle is not effective, because that often causes security problems that could have been caught if security expertise had been involved from the design phase forward.

The best solution is to have security practices integrated into the entire software delivery cycle. But teams are still reluctant, fearing that these practices will just be sand in the gears, making them unable to meet business demand for DevOps-level speed. Security teams are also leery of trying to match pace with DevOps practices, since that would involve using more automation—and security tooling hasn't always been up to the task.

TechBeacon Learn's new Secure DevOps track will help your teams alleviate some of those fears by introducing the latest strategies for secure DevOps. This new philosophy provides a way for software teams to combine security and DevOps practices into one efficient software delivery process.

Introduction to Secure DevOps: Basics and benefits

What is DevSecOps?

Secure DevOps, also referred to as DevSecOps or Rugged DevOps by practitioners,  applies the same battle-tested practices of DevOps to security practices. Just as developers and operations needed to start collaborating with one another and understanding how their practices applied to the other side of the coin, security professionals also need to understand how their practices can be applied in the development and production stages. Developers and operations need to help facilitate this change by understanding more about what security teams do.

Here's how the DevSecOps Manifesto describes the underlying principles: 

Figure 1. DevSecOps manifesto principles

Security teams also need to apply another idea popularized by DevOps to their strategies—the idea of infrastructure as code (IaC). The DevSecOps manifesto says the key to integrating security processes into DevOps is security as code. Chris Romeo, the co-founder of Security Journey, discusses this concept further in the first unit of the secure DevOps track

"Security as code refers to the building of security into the tools that exist in the DevOps pipeline," Romeo explains. "This means automation over manual processes. It means the use of static analysis tools that check the portions of code that have been changed, versus scanning the entire codebase."

Why it's worth it

Anders Wallgren, the CTO at Electric Cloud, covers the benefits of secure DevOps in the second unit. Speed is a key benefit in secure DevOps, but teams often think that there's a tradeoff between speed and security. That's not always the case. 

Judicious security automation helps teams maintain both speed and security, much like testing automation helps teams maintain speed and quality. Automated security testing makes security checks more consistent, predictable, and less prone to human error once the automation itself is tested. 

The leftward shift of security practices toward the design phase is another key benefit, Wallgren explains. There's no bigger sigh of relief than when you catch what could have been a major security hole at the design or development phase of a new feature. That's what secure DevOps tooling strategies provide.

Wallgren describes even more secure DevOps benefits in his unit.

What developers should do

Developers hold most of the keys to supporting the integration of security into DevOps. The No. 1 priority for developers involved in a secure DevOps transformation should be self-education (or hiring more security-knowledgeable developers). Application security skills are not as prevalent in the software engineering field as they should be. Because of this, Colin Domoney, in "Secure DevOps basics: A guide for developers," stresses that training security champions among your development team is essential—as is fostering a security education culture among your developers.

What operations should do

What does the ops side of DevOps need to do when asked to help facilitate the secure DevOps transformation? Robert Lemos, in "Secure DevOps basics: A guide for IT Ops," says operations pros need to take inventory of their environments and put every piece—especially network configurations—through the automatic and manual security checks that security teams and operations build together. New technologies or processes might be necessary to make operations more consistent, reproducible, and secure.

What security should do

Finally, security professionals should see DevOps as an opportunity, not another challenge. Jaikumar Vijayan, the author of "Secure DevOps basics: A guide for security professionals," says this is where security teams need to lean in and collaborate with developers and operations to get their security reviews and automated tests moved to earlier points along the software delivery lifecycle. Build a sandbox, he suggests, and run a creative array of tests, built by collaborating with dev and ops. Security teams have to focus on making security practices easy for the other two groups. If they do that, fixing problems overall will be easier for them.

Bringing it all together

Pete Chestna, the director of developer engagement at Veracode, puts it all together by boiling down secure DevOps transformation to five key steps. Successful teams engage in automated software testing, integrate security early to fail quickly, avoid generating false alarms, appoint security champions within teams, and maintain operational visibility at all times.

Introduction to secure DevOps: Basics and benefits
Topics: Security