DevSecOps: Definition and Deep Dive

Extending DevOps to application security

What is DevSecOps?

DevSecOps is the practice of applying vital security fundamentals to the traditional DevOps cycle through cooperation between engineers, security teams, and other positions of leadership.

Expanding on that definition, DevSecOps is a continuation of the DevOps concept; it enforces the idea that every employee and team is responsible for security, and that decisions need to be reached efficiently and put into action without sacrificing security. Getting new code out to production faster is a goal that often drives new business—however, in today's world, that goal needs to be balanced with addressing security.

What Is DevOps?

DevOps s a set of methodologies (people, process, and tools) that enable teams to ship better code, faster. It enables cross-team collaboration that is designed to support the automation of software delivery and decrease the cost of deployment. The DevOps movement has established a culture of collaboration and an agile relationship that unites the Development, Quality Engineering, and Operations teams with a set of processes that fosters high-levels of communication and collaboration.

What are the primary goals and benefits of DevSecOps?

As a primary focus, better collaboration between development and security teams earlier in the cycle provides a slew of benefits in the long run. DevSecOps opens the door for organizations to experience an advancement in operational efficiency across various departments. This is a direct improvement that transpires from the implementation of DevSecOps and is accompanied by quicker response times from security teams, earlier detection of code vulnerabilities, and enhanced product reliability. 

Above all else, DevSecOps enables organizations to provide consumers with increasingly secure products at an accelerated rate. Less gridlock during the application of late-stage security practices can make a major difference in freeing up time for DevSecOps engineers to make improvements during other segments of the product development cycle. With all of these notable benefits in mind, it is easier to recognize why an increasing number of companies and organizations are selecting to utilize DevSecOps principles throughout the development process.

Why should Application Security be integrated into the DevSecOps cycle?

Web applications have become a primary target for attackers for multiple reasons: 

1. They are open for business and easily accessible: Companies rely on firewalls and network segmentation to protect critical assets. Applications (and ultimately web application vulnerabilities) are exposed to the internet in order to be used by customers. Therefore, they are easy to reach when compared to other critical infrastructure, and malicious attackers are often masked as legitimate desired traffic.

2. They hold the keys to the data kingdom: Web applications frequently communicate with databases, file shares, and other critical information.  Because they are close, if they are compromised it is easier to reach this data (which can often be some of the most valuable). Credit card data, personally identifiable information (PII), Social Security numbers, and proprietary information can be just a few steps away from the application.

3. Penetrating applications is relatively easy: There are tools available to attackers that allow them to point and shoot at a web application to discover exploitable vulnerabilities.

Web application security testing is critical, especially since most application vulnerabilities are found in the source code. Dynamic Application Security Testing (DAST) is a primary method for scanning web applications in their running state to find vulnerabilities that are usually security defects that require remediation in the source code. These DAST scans help developers identify real exploitable risks and improve security.

In a true DevSecOps mindset, it’s important to understand that it’s possible to implement web application scans early in the software development lifecycle (SDLC) without taking additional time for developers or testers. When dynamic application security testing first became popular, security experts typically conducted the tests at the end of the software development lifecycle. That only served to frustrate developers, increase costs, and delay timelines. In DevSecOps, that stage occurs at the start instead of the end of the development lifecycle.

Adopting a DevSecOps mindset

Much like DevOps, partnerships and collaboration is what DevSecOps is all about. It’s critical that security and development teams get together to understand the risks that the other team faces. Effective methods of integrating security testing into the SDLC include:

  • Using continuous integration solutions to ensure security testing is conducted easily and automatically before an application goes into production.
  • Implementing issue tracking to ensure an application security solution automatically sends defects to an issue tracking solution used by the development and QA teams.
  • Leveraging automation and testing to make security tests even more effective.

There are many benefits of embedding application security earlier into the SDLC. If you treat security vulnerabilities like any other software defect, you save money and time by finding them earlier when developers and testers are working on the release.