DevSecOps is DevOps
October 07, 2019

Malcolm Isaacs
Micro Focus

The consequences of a software security breach can be crushing. Beyond violating legal and regulatory requirements that carry an enormous price for non-compliance, you have a responsibility to protect your customers and their data, as well as your own data and systems. If you don't take the right precautions, you are putting your customers, your business, and your reputation at risk.

Security vulnerabilities always exist, but they haven't always been adequately addressed by software delivery teams. The best way to prevent them is to test the software for potential weaknesses and fix those weaknesses before software is released. Until recently, security testing, if done at all, was an afterthought with little, if any, attention paid to the production environment.

DevOps and Security

Over the last few years, there has been a greater awareness of security among the DevOps community. Because DevOps strives to deliver value quickly to the customer, it has the potential to unintentionally introduce vulnerabilities quickly as well. This spurred DevOps teams to include security testing as part of continuous testing, increasing the sense of shared responsibility for security.

As the team members think about the software's design, they should consider the potential security weaknesses and vulnerabilities that the design might expose. DevOps teams should include security criteria for each user story and test it as part of their automated continuous testing cycles. As the software, its components, and its configuration makes its way through the deployment pipeline, security tests continue to run, and if any vulnerabilities are detected at any stage, the team will be alerted and can fix the issue. When testing is continuous, the change that introduces a vulnerability will be readily identified and can be fixed quickly.

When the software is deployed, additional security tests are run, and the software in production is monitored for vulnerabilities resulting from configuration changes, software updates, and environment changes.

This concept of infusing security into the mindset and the processes of software delivery is often called "DevSecOps." Since developers, testers, and operations staff are all part of the same DevOps team, they must all take responsibility for their software's security, from design through development, and out into production.

How to Integrate Security into DevOps

Here are some practical steps that teams can take to introduce security into their DevOps pipelines, making them DevSecOps pipelines.

Train developers and testers on security

Your team needs security expertise, but most organizations don't have enough security staff to be part of each DevOps team. Train your developers and testers so that they are aware of security considerations, and understand how they should be approaching design, coding, code reviews, and testing from a security perspective. Encourage one or two members of the team to take on an enhanced role as a security champion within the team to ensure that security and regulatory compliance is always part of the conversation.

A security-conscious team should consider regular threat modeling sessions. Threat modeling involves thinking like a hacker. Enable your teams to proactively look for weaknesses in the design of an application and its components and think through how the components communicate with each other. This can be an effective way of uncovering architectural weaknesses during design.

Use automated security testing tools

Automated security tests run much more quickly than manual tests, and are consistent, repeatable and reliable, making them ideal for continuous testing. Two types of automated application security testing tools are commonly integrated into continuous testing processes: Static Application Security Testing (SAST) tools, which identify vulnerabilities in source code; and Dynamic Application Security Testing (DAST) tools, which look for vulnerabilities while the code runs in a testing environment.

However, be aware that both SAST and DAST can take a long time to run on a large application and can also generate large quantities of false positives that can distract you from identifying and analyzing more serious issues. To optimize your use of these tools in continuous testing, focus on areas of the code that have recently changed, and configure them correctly so that you don't waste your time on investigating false positives.

Don't forget your production environment

The production system is where your code and data are most vulnerable. It's where real users — and real hackers — have access. This is where your heretofore undiscovered weaknesses will surface. Run security tests on the production system as you deploy updates and continue to test regularly in production just in case configurations have changed or the environment has been updated. However, keep in mind that running extensive security tests in production can slow your systems down, or even halt them, so plan to maximize the value you get while minimizing any potential for disruption. Consider using a Runtime Application Security Protection (RASP) solution as well, which will identify and block malicious accesses in real-time.

All DevOps Should Be DevSecOps

DevSecOps means thinking about security from the start and being proactive about security throughout the software delivery pipeline. Over the last few years, we've been seeing more awareness of security as part of DevOps, and we're getting to the point where it's inseparable. DevOps and DevSecOps are one and the same thing.

Whether you call it DevSecOps, or just plain DevOps, security must be a central component of your software delivery pipeline if you are to minimize risk to yourself, your business, and of course, your customers.

Malcolm Isaacs is Senior Solutions Manager, Application Delivery Management, at Micro Focus
Share this

Industry News

March 28, 2023

Mirantis announced the latest version of Mirantis Container Cloud -- MCC 2.23 -- that simplifies operations with the ability to monitor applications performance with a new Grafana dashboard and to make updates to Kubernetes clusters with a one-click “upgrade” button from a web interface.

March 28, 2023

Pegasystems announced updates to Pega Cloud supported by an enhanced Global Operations Center to deliver a more scalable, reliable, and secure foundation for its suite of AI-powered decisioning and workflow automation solutions.

March 28, 2023

D2iQ announced the launch of DKP Gov, a new container-management solution optimized for deployment within the government sector.

March 28, 2023

StackHawk announced the availability of StackHawk Pro and StackHawk Enterprise for trial and purchase through the Amazon Web Services (AWS) Marketplace.

March 27, 2023

Octopus Deploy announced the results KinderSystems has seen working with Octopus. Through the use of Octopus, KinderSystems automates its software deployment processes to meet the complex needs of its customers and reduce the time to deploy software.

March 27, 2023

Elastic Path announced Integrations Hub, a library of instant-on, no-code integrations that are fully managed and hosted by Elastic Path.

March 27, 2023

Yugabyte announced key updates to YugabyteDB Managed, including the launch of the YugabyteDB Managed Command Line Interface (CLI).

March 23, 2023

Ambassador Labs released Telepresence for Docker, designed to make it easy for developer teams to build, test and deliver apps at scale across Kubernetes.

March 23, 2023

Fermyon Technologies introduced Spin 1.0, a major new release of the serverless functions framework based on WebAssembly.

March 23, 2023

Torc announced the acquisition of coding performance measurement application Codealike to empower software developers with even more data that increases skills, job opportunities and enterprise value.

March 23, 2023

Progress announced a free online training and certification program for Progress® OpenEdge®, the flagship Progress application development platform.

March 22, 2023

Opsera announced five patents have been issued to enable enterprise engineering leaders and teams to gain unprecedented end-to-end visibility into their software delivery and accelerate the speed and security of delivery, all while maximizing their investment.

March 22, 2023

DuploCloud announced the general availability of its on-prem solution built on top of Kubernetes, focusing on containerized workloads with near term plans to integrate with on-prem compute, storage and networking vendors.

March 22, 2023

Postman announced the general availability of Postman Flows, a visual tool for creating API applications. Postman Flows simplifies building software by using APIs as the building blocks, allowing anyone to produce workflows, integrations, and automations in a collaborative environment without needing to write a single line of code.

March 22, 2023

SecureAuth announced an alliance partnership with HashiCorp®, enabling organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition.