As software developers, we are responsible not only for ensuring that all the features we program into our apps work as designed, we also need to make sure our code base is free from bugs and security vulnerabilities.
The need for faster delivery of software has increased, with new methodologies emerging as a consequence. The concept of DevOps was created in order to combine the functions of development (in which one codes the application) and the production/operations team (handling the management of the live application in production).
DevOps is actually a feedback loop. After all, it’s based on the principle of continuous integration/continuous development (CI/CD). Software applications don’t only come as a single final version. As users’ needs evolve, so do applications. Without an efficient process such as DevOps, a software organization will need to take a long time to incorporate necessary improvements or updates. With DevOps it can take as little as a day to release new changes.
While DevOps is all about ensuring smooth collaboration between the development and operations/production teams, DevSecOps is all about the collaboration between security and operations. This process or workflow seamlessly integrates security into every aspect of the SDLC.
In the days past, security activities slowed down the dev teams as security engineers needed to ensure shipped code is free from any vulnerability. As companies are keeping shorter and shorter periods to deploy an application, it has become necessary for the security aspect to be embedded in such a way that it doesn’t hamper the speed of release.
DevSecOps companies can be sure that they’ll ship code in a timely manner without compromising quality or security.
How Can Teams Start Using DevSecOps (if they’re not yet doing DevOps)?
More established teams and companies are already employing DevSecOps. So they aren’t the audience for this article. This is geared towards smaller teams in startups that are still picking up best practices.
It’s not necessary to first be purely DevOps prior to transitioning to DevSecOps. Quite obviously, DevSecOps already has all the elements of DevOps.
It’s probably a big advantage if a team starts off with DevSecOps. There’s a popular mantra attributed to Facebook founder and CEO Mark Zuckerberg: “Move fast and break things”. Some teams that have been employing DevOps have the tendency to think this way. They surely turn over a product within a short period of time but claim it is perfectly secure. However, that’s not often the case.
Starting off as a DevSecOps team makes it easier to have quality and security in mind early on in the process. The whole pipeline might take longer to flow but in the long haul, it reduces overall cost in terms of time and money. The reason is DevSecOps teams release more secure software reducing the time needed to fix things.
So that’s the first step to start using DevSecOps in the team—embracing the mantra “slowing down to speed things up”.
Second, start integrating security tools into your projects. We’re talking here about new and existing projects alike. There are a lot of great tools available out there such as those that detect vulnerabilities in open source packages and test automation tools that can help you transition your team properly.
Third, and I guess this is something you should do prior to using DevSecOps, you need to perform a threat assessment for your team. What do we mean by this? It’s simply doing an inventory of all your team’s assets and evaluating how vulnerable they currently are. For instance, on each team member’s workstation, do they have some malicious programs installed (whether the users are aware or not)? Doing this may be tedious but it’s better to get this done early.
Finally, every developer in the team should know how to code securely. By this we mean each dev should understand vulnerabilities such as SQL injection and cross-site scripting that can be resolved through proper code structure.
DevSecOps will permeate every software development team moving forward. By even considering it you have already taken a big step forward. You can rest assured it’s an investment that will pay tremendous dividends for your team, your company, and your app’s users.