04/12/2020
Cyber security must be an integral part of software development and deployment. I've said that for years of teaching Learning Tree's Introduction to Cyber Security, and now there is a design philosophy to help make that happen.
DevSecOps is an enhancement to the popular DevOps philosophy and methodology to integrate proper security practices into the entire design-development-deployment cycle.
What is DevOps?
There is not an official formal definition for DevOps, but Red Hat has a great description: "DevOps is a movement that enables collaboration throughout the entire software delivery lifecycle by uniting two tribes: development and operations. The benefits of DevOps can extend to security by embracing modern DevSecOps practices." With origins in the Agile community, DevOps has three essential elements: collaboration, continuous workflow, and reduced time to integrate changes into a development of a software product.
The illustration shows the DevOps process. Note that it takes the shape of the infinity symbol (the lemniscate [?]). That is to emphasize the continuous workflow aspect. This has been referred to as a build-test-deploy cycle. In the past, software was developed using a so-called waterfall approach. In that process, there is a strict design-develop-deploy linear path.
The idea of continuous workflow is not new. In college in the late 1970s, our 4th-year software design class employed continuous development. We build our project a bit at a time and enhanced and moved closer to client needs incrementally, rather than using the waterfall path. We followed the build-test-deploy process without knowing it would be a future methodology
In waterfall development, security is often a part of the process implemented at the end. As a sort of add-on, a separate team tries to make the application (more) secure by identifying changes that must be made before deployment. That can introduce significant delays in the process. For those not familiar with software development, a small change in one portion of a project may have large implications in other areas. That small change may require significant reworking of other portions of the code taking both time and money.
What is the DevSecOps approach?
The DevSecOps approach incorporates security considerations throughout the workflow. That avoids the retrofitting of changes that often occur when security is an add-on. When security is considered from the start, it is much more likely to be more thoroughly integrated into the final product. It also tends to avoid the small-change-requires-a-major-rework issue.
For this integration to be effective, there are two requirements: the entire development and operations teams must communicate effectively, and the teams must appreciate and buy into the essential need for appropriate practices throughout the process. Of course, they must also understand what secure design/development and operations processes are!
The Open Web Application Security Project identifies the top ten vulnerabilities in web applications. All of them could have been avoided had security been implemented throughout the development lifecycle.
For those already familiar with DevOps and want to see a deeper dive into the differences between that and DevSecOps, the US General Services Administration has papers elaborating on the differences.
Learning Tree has multiple courses that can help those interested in DevSecOps and related topics:
- DevSecOps Foundation. From the Learning Tree website: "This training addresses the purpose, benefits, concepts and vocabulary of DevSecOps, how DevOps security practices differ from other types of security approaches, and an overview of DevOps security strategies including business driven security scores."
- A collection of DevOps fundamentals and certification courses. Multiple certification and fundamentals courses are available depending on participant and organization needs.
- System and Network Security Introduction. This course is a foundation for the other security courses and is not specific to software developers.
- Considering that DevOps and thus DevSecOps had their origins in the Agile Methodology, courses in Agile development may be appropriate for some developers.
- Finally, since DevOps relies so heavily on team communications, the Communication Skills course will be valuable to teams using DevSecOps.
DevSecOps puts security directly into the DevOps process. Even the name puts "Sec" in the middle to emphasize that. Quoting RedHat again, "DevSecOps means thinking about application and infrastructure security from the start."[:]