DevSecOps

DevSecOps is the seamless integration of security testing and protection throughout the software development and deployment lifecycle. Like DevOps, DevSecOps is as much about culture and shared responsibility as it is about any specific technology or techniques. Also, like DevOps, the goals of DevSecOps are to release better software faster, and to detect and respond to software flaws in production faster and with more efficiency.

In practice, DevSecOps is a tactical trifecta that connects three different disciplines: development, security, and operations. The goal is to seamlessly integrate security into your continuous integration and continuous delivery (CI/CD) pipeline in both pre-production (dev) and production (ops) environments. Let’s take a look at each discipline and the role it plays in delivering better, more secure software faster.

Development teams create and iterate on new software applications. This includes:

  • Custom, built-in-house apps designed for a single, specific purpose
  • API-driven connections that bridge the gap between legacy systems and new services
  • Apps that leverage open-source code to accelerate the development process

Modern development practices rely on agile models that prioritize continuous improvement versus sequential, waterfall-type steps. If developers work in isolation without considering operations and security, new applications or features may introduce operational issues or security vulnerabilities that can be expensive and time-consuming to address.

Operations refers to the processes of managing software functionality throughout its delivery and use life cycle, including:

  • Monitoring system performance
  • Repairing defects
  • Testing after updates and changes
  • Tuning the software release system

DevOps has gained ground in recent years as a way to combine key operational principles with development cycles, recognizing that these two processes must coexist. Siloed post-development operations can make it easier to identify and address potential problems, but this approach requires developers to circle back and solve software issues before they can move forward with new development. This creates a complex road map instead of a streamlined software workflow.

Implementing operations in parallel with software development processes allows organizations to reduce deployment time and increase overall efficiency.

Security refers to all the tools and techniques needed to design and build software that resists attack, and to detect and respond to defects (or actual intrusions) as quickly as possible. Historically, application security has been addressed after development is completed, and by a separate team of people — separate from both the development team and the operations team. This siloed approach slowed down the development process and the reaction time. Also, security tools themselves have historically been siloed. Each application security test looked only at that application, and often only at the source code of that application. This made it hard for anyone to have an organization-wide view of security issues, or to understand any of the software risks in the context of the production environment. By making application security part of a unified DevSecOps process, from initial design to eventual implementation, organizations can align the three most important components of software creation and delivery.

Get In Touch

Open chat