Let’s start with the basics here. Traditionally, we followed Software Development Life Cycle, in short SDLC, a structured approach to develop quality software that meets customer requirements. With a rapid evolution in lifestyle, we moved to the Agile method which is one of the variants of SDLC to develop software in an iterative and fast way. While the agile methodology aims to develop a software or a component of software quicker, there is a need to deploy that component at equal speed in production set up to make it available to the user community. This development process along with the deployment process is together referred to as DevOps. Essentially, DevOps refers to the continuous integration of a software component and its continuous deployment. Now, thinking of security from the early stage of the development cycle instead of retrospectively fitting at the end of the cycle, transcends DevOps to DevSecOps. Here, we are shifting Security at the early stage of the cycle, i.e., shifting to the left of the cycle, which is referred to as Shift Left.
To establish an analogy, may not be exact but a crude analogy to understand better, let’s look at some of the household work like cooking. I cook in my free time at home. After cooking, I request my wife to serve the food to family members. Here, the cooking process is Development, serving process is Operations, together with cooking and serving process is DevOps. Now, it’s important to understand in this example what is DevSecOps. While cooking, I am concerned about the hygiene of the food from the beginning, else, retrospectively fitting hygiene is very difficult. Therefore, the cooking and serving process along with maintaining hygiene in the entire process is DevSecOps.
In a rapidly moving world where technology is easing the way we do business and lead life, there is a rapid increase in threats to the technology landscape by fraudsters or individuals with malicious intent. Therefore, it’s imperative that security is looked at from the very early stage of the development cycle and all possible threat vectors are identified and appropriate controls or safeguards are built into the software to protect the software and therefore protect its user community and ultimately customers. Let’s look at some of the benefits of DevSecOps.
Continuous integration (CI) — merges code changes to ensure the most recent version is available to developers.
Continuous delivery and continuous deployment (CD) — automate the process of releasing updates to increase efficiency.
Microservices — builds an application as a set of smaller services.
Infrastructure as code (IaC) — designing, implementing, and managing app infrastructure needs through code.
Common weaknesses enumeration (CWE) — improves the quality of code and increases the level of security during the CI and CD phases.
Threat modeling — implements security testing during the development pipeline to save time and cost in the future.
Automated security testing — test for vulnerabilities in new builds on regular basis.
Incident management — creates a standard framework for responding to security incidents.
Fast delivery — achieve ensure fast delivery of application by embedding automated security controls and tests early in the development cycle.
Enriched efficiency — higher efficiency by scanning code for vulnerabilities as it’s written.
Automotive: reduce lengthy cycle times while still meeting software compliance standards.
Digital Transformation: enable digital transformation efforts while maintaining the privacy and security of sensitive data per regulations such as GDPR.
Code analysis — deliver code in small chunks so vulnerabilities can be identified quickly.
Compliance monitoring — be ready for an audit at any time that means being in a constant state of compliance, including gathering evidence of GDPR compliance, PCI compliance, etc.
Threat investigation — identify potential emerging threats with each code update and be able to respond quickly.
Vulnerability assessment — identify new vulnerabilities with code analysis and accordingly analyze how quickly they are being responded to and patched.
Security training — train software and IT engineers with guidelines for set routines.
To conclude, DevSecOps is a cultural shift which means security is a shared responsibility, and everyone participating in SDLC has to a play very vital role in building security into the DevOps workflow.
Author:
Ravi Bhushan, Head- GRC and Ritesh Prasad, Manager DevOps+SRE
Wibmo A PayU/Naspers FinTech Company