How to Seamlessly Evolve DevOps Into DevSecOps

DevSecOps, by definition, is an evolution of DevOps. The growing philosophy itself is not fully formed and leaves a lot to still be defined. For anyone to claim it is anywhere close to a fully-formed set of best practices or rules would be getting ahead of themselves and the philosophy. This should be expected as DevSecOps is relatively new. 

This is the nature of DevOps, in general — always improving and never stagnant.

DevOps, as a process, isn’t by any means ancient itself. It has been largely accepted as a means of facilitating cooperation between the various compartments in an IT outfit, compartments that might otherwise remain largely sealed off from one another. 

The development side of IT works directly with the operations side in a fully formed DevOps process. This allows coding and direct software development to work in unison with traditional infrastructural issues like device management, network upkeep, and help desk functions. 

DevOps is designed to allow these sides to meet, communicate and more easily improve upon one another’s work in an automatic and streamlined way. One important aspect that has been left by the wayside is security.

Security is an ever-evolving issue that refuses to be solved for any length of time. It is a headache that needed to be included in this DevOps process for lasting impact inside an organization.

There isn’t a better time to address security of a project than throughout the entire project.

At its core, DevOps is a business philosophy — a way of structuring and organizing the IT culture at a company. The big selling point behind this philosophy is that it helps create software, test it, and push it to market faster. While this is certainly true, it’s not the whole story.

Creating and releasing software quickly doesn’t mean much if the product produced is not of high quality. To ignore DevOps’ role in quality control would be failing to grasp its true importance and intention. Effective DevOps allows the development and operations arms to harmonize together and create high-level and quality controlled software as quickly as possible.

As DevOps evolved, which it is perpetually doing, it became obvious that these processes, services, and tools needed to include far more than just software development and operations management. With each new story of a massive data breach and its catastrophic consequences, cybersecurity swiftly became recognized as a critical part of any IT ecosystem. This realization led to DevSecOps.

The goal is to make security part of the development workflow.

As mentioned, DevSecOps is the natural extension of DevOps. The process is meant to do two things: It can either take the benefits that DevOps gives to the development and operations branches of your IT department and extend them to the security team or it can integrate the security processes that need to be done into the DevOps team. 

In DevOps, creating and releasing software quickly doesn’t mean much if the product produced is not of high quality. Does it mean much if the product produced isn’t secure?

Security was being ignored in a process where it logically should have been the main component. Companies truly could not afford to ignore this conundrum any longer. 

There are three basic ways of breaking down DevSecOps for any organization: 

These three ways of looking at DevSecOps ultimately improve cooperation among the disparate IT team departments. In particular, the transition from DevOps to DevSecOps improves the team’s ability to detect and mitigate threats earlier in the development process.

Subscribing to all three options ensures that no stone is left unturned and leads to the best results in terms of maintaining or even improving current development goals while addressing the security issues that need to be addressed. The goal isn’t to tear everything down. The goal is to empower. 

DevSecOps isn’t possible by going about normal day-to-day DevOps processes. You can’t tell team members to just be more mindful about security and expect better results. Security team members can’t randomly jump into the development process and expect to make friends with developers.

How, then, does DevSecOps actually work in practice? The philosophy of DevSecOps is one thing, the practice of DevSecOps is another. In essence, there are three major elements to this new iteration of DevOps:

Dissecting your entire infrastructure can be a clunky and unwieldy process. Once it is actually accomplished, your whole process — developing software, configuring infrastructure and running security checks — is broken up into tiny parts, each with specific individual functions. This enables your infrastructure to turn into a well-oiled machine.

After everything becomes hyper-specialized, segmented and well-defined, it becomes easier to monitor each step of the process and make necessary upgrades on a gradual level.

This also allows each individual or small team the ability to claim a process as their own. The blame game will not rear its ugly head and team cooperation will reach higher levels. DevSecOps relies on team cooperation to the same degree as DevOps, possibly even more.

Again, the goal is not to tear everything down. Dissecting an entire infrastructure is done on paper. Once dissected, a company can figure out how to specialize and segment in an efficient manner that will cause the least amount of disruption possible in practice.

To start, tearing down the infrastructure requires feedback. Each team and possibly each team member should have a say on the hypothetical dissection of the organization. Starting from ground zero on a feedback-based system is the ideal approach.

In a DevSecOps-tuned environment, developers receive continuous feedback regarding the state of their systems. This constant flow of updated information lets your team know where it stands in relation to security threats. With security blended into the mix, everyone gets the latest information and can efficiently implement necessary security patches and updates.

Without continuous feedback, new processes are daunting to individual members of a team. Continuous feedback is necessary to keep your I.T. team focused and inspired. When a task has been completed the same way for long periods of time, sometimes years, continuous feedback is necessary to achieve efficiency and proficiency. 

A key detail that must be kept in mind: feedback does not only originate from management. Feedback should be oozing from every team in the DevSecOps process. If the team is truly segregated in development, security, and operations — each team will have responsibilities to the other teams and should be providing feedback back and forth multiple times a day.

Artificial intelligence and machine learning both have the potential to streamline almost everything, reduce human error, and dramatically speed things up. The kicker is that it has to be properly applied to your security checks and other processes. Automation is well and good but challenges arise when it is implemented improperly.

Most DevOps processes instill a hefty dose of automation. Teams that are starting from the ground floor should start slow to avoid overwhelm and confusion among the team. Automation does not only mean AI. Implementing the use of the highest quality of basic software  — such as a malware scanner, VPN, and two-factor authentication tool — among your team can help shore up security practices immediately.

If developers must go out of their way to initiate scans, there's a good chance they will abandon the scanning tool. Two-factor authentication is already adding a small time gain on a task and should be automatic when accessing anything. A good rule is to not annoy the developers. 

In an effort not to overthink basic security and think of automation as a complex tool filled with advanced AI, the basics shouldn’t be ignored. Automation does include advanced AI a lot of the time. However, in simple terms, it is taking a task that took time and making it so that task can be accomplished without the time it used to take.

After the basics, the assistance that AI and ML provide in cybersecurity is especially invaluable, as they not only automate basic and essential security protocols, but can actually learn, evolve, and adapt to newly emerging threats.

DevOps tools have been around for a while now. Tools specifically created for DevSecOps exist but come with criticism. Some call DevSecOps tools DevOps lipstick on an old pig. Patience should be urged to the burgeoning DevSecOps community as new tools will come with time.

The beginnings of DevSecOps aren’t concrete but the origins can be vaguely traced back to the simple phrase of security as code. The issue is that security as code isn’t the first thing learned by most developers.

Retraining an entire development team on secure coding isn’t just a challenge in terms of retraining — it’s expensive. Having the time and money to go through this training is rare. It is necessary to ensure a smooth transition from DevOps to DevSecOps.

The main issue is that developers don’t know or think that there is any issue with their code. Security as code usually isn’t the first thing a development team worries about. This needs to change for the DevSecOps process to take hold. 

Though the advantages of effective DevSecOps, both in terms of quality control and increased cooperation and efficiency, are immense, DevSecOps is as much about people as it is anything else.

Even on the best teams, people can sometimes be difficult. Introducing your people to a new way of organizing how they work together — one significantly different from the way they are used to working — can create friction in the following areas:

These are difficult problems that can be overcome. Lack of trust and poor collaboration between departments is precisely the kind of thing that DevSecOps is meant to overcome. Given enough time and persistence, the requisite trust should emerge naturally. A tried and true strategy to implement new processes is to ease the team into the DevSecOps transition in gradual stages to avoid overwhelm. 

With security part of DevOps, preventative measures are easier to implement. It’s the difference between upfront inspection and constant vigilance or waiting for chaos to break loose and only then (too late) trying to fix the problem.

In today’s intertwined internet, substantial security risk comes from third-party partners who provide services and share data and resources with your organization. Your company and network is only as strong as the weakest link. A recent example, this one related to hosting service, is the Google Cloud outage that took down large chunks of the internet, and we mean large. Companies like YouTube, Gmail, Snapchat, and Shopify to name a few were heavily affected.

For perspective, let’s consider the effect on Shopify. The outage stopped sales dead for 800,000 stores in 175 countries for seven hours because the entire Shopify network is centralized with one host (Google Cloud) which obviously did not have a good backup plan. Most scary for those entrusted with securing sites is the reality that the outage could have been a hacker attack in which Google’s servers were forcibly taken offline while malware roamed amongst customer data of the affiliate stores scooping up whatever it could find.

Incidents like this put an intense focus on the uptime/downtime of hosting providers as a critical cybersecurity metric. You need to know your provider’s numbers. According to a recent review of web hosting uptimes, anything lower than 99.9% uptime is unacceptable for small businesses, let alone enterprises like Shopify on which hundreds of thousands of SMEs rely. 

The preceding example of the danger inherent in a vendor relationship is just that - a solitary example in a universe of opportunities. Think of every vendor that your website relies on or allows access to. Any of them could be a serious security problem. Are you ready for it?

To achieve the highest levels of productivity while using DevSecOps in your organization, try the following:

DevSecOps going mainstream is what every proponent of the process envisioned. A burgeoning community is placing itself at the forefront of organizational innovation.

DevSecOps Days is described as a global series of one and two-day conferences helping to educate, evolve, and explore concepts around developing security as code. As the movement grows, the ability to learn and improve within a community grows. InfoQ attended a London event and found it to be greatly beneficial for organizations.

As the movement grows, more organizations will sprout up with more events and learning opportunities for entrepreneurs, small businesses, and large organizations alike.

Today’s reality is that cybersecurity threats are everywhere. Any organization that intends to survive and thrive online needs to be ready for them. A major part of this readiness is to stay on the front lines of DevOps thinking, which is DevSecOps. 

This philosophical shift makes sure an organization has the proper protocols in place to assess, prevent, counteract or repel threats efficiently. Proper DevSecOps implementation might be the most important thing you do this year.

Sam Bocetta is a former security analyst, having spent the bulk of his as a network engineer for the Navy. He is now semi-retired, and educates the public about security and privacy technology. Much of Sam’s work involved penetration testing ballistic systems. He analyzed our networks looking for entry points, then created security-vulnerability assessments based on my findings. Further, he helped plan, manage, and execute sophisticated "ethical" hacking exercises to identify vulnerabilities and reduce the risk posture of enterprise systems used by the Navy (both on land and at sea). The bulk of his work focused on identifying and preventing application and network threats, lowering attack vector areas, removing vulnerabilities and general reporting. He was able to identify weak points and create new strategies which bolstered our networks against a range of cyber threats. Sam worked in close partnership with architects and developers to identify mitigating controls for vulnerabilities identified across applications and performed security assessments to emulate the tactics, techniques, and procedures of a variety of threats. Linkedin here.

Source: Infoq.com

Powered by NewsAPI.org

Keywords:

Evolution • DevOps • Definition • Evolution • DevOps • Philosophy • Norm (social) • Philosophy • Nature • DevOps • DevOps • DevOps • Business process • Software development • Infrastructure • Software project management • Computer network • Help desk • DevOps • Time • Headache • DevOps • Business process • Social influence • Organization • Time • Project management • Project management • DevOps • Philosophy of business • Corporation • Marketing • Push It (Garbage song) • Marketing • DevOps • Quality control • DevOps • New product development • Business operations • Software quality • DevOps • Business process • Programming tool • Software engineering • Operations management • Data breach • Computer security • Critical theory • Ecosystem • Goal • Computer security • Economic development • Workflow • Natural resource • DevOps • Business process • Employee benefits • DevOps • Software development • Business operations • Security • Security • Business process • DevOps • DevOps • Software • Product (business) • Software quality • Computer security • Computer security • Business process • System • Company • Organization • DevOps • DevOps • Philosophy • Essence • Iterative and incremental development • DevOps • Infrastructure • Systems engineering • Holism • Systems engineering • Software • Infrastructure • Infrastructure • The Blame Game (BBC) • DevOps • Goal • Infrastructure • Corporation • Efficiency • Methodology • Disruptive innovation • Infrastructure • Feedback • Hypothesis • Dissection • Organization • World Trade Center (1973–2001) • Feedback • System • Idealism • Natural environment • Feedback • System • Information • Information • Patch (computing) • Patch (computing) • Feedback • Feedback • Time • Feedback • Efficiency • Skill • Complexity • Mind • Feedback • Management • Feedback • Team • Business process • Team • Economic development • Business operations • Moral responsibility • Feedback • Artificial intelligence • Machine learning • Human error • Systems engineering • Automation • DevOps • Automation • Automation • Artificial intelligence • Quality control • Software • Antivirus software • Virtual private network • Multi-factor authentication • Programming tool • Computer security • Software developer • Programming tool • Multi-factor authentication • Computer security • Automation • Complexity • Tool • Artificial intelligence • Automation • Artificial intelligence • Artificial intelligence • Computer security • Automation • Computer security • Communications protocol • DevOps • Tool • Tool • DevOps • Pig • Tool • Abstract and concrete • Phrase • Source code • Computer security • Source code • Secure coding • DevOps • Source code • Computer security • Source code • Business process • Quality control • Cooperation • Trust (emotion) • Collaboration • Time • DevOps • Problem solving • Internet • Risk • Partnership • Service (economics) • Organization • Company • Weakest Link (U.S. game show) • Google Cloud Platform • Internet • YouTube • Gmail • Snapchat • Shopify • Shopify • Shopify • Google Cloud Platform • The Back-up Plan (Glee) • Security hacker • Google • Server (computing) • Malware • Uptime / Downtime • Computer security • Web hosting service • Shopify • Small and medium-sized enterprises • Risk • Security • Productivity • Organization • Mainstream • Business process • Community • Organization • Innovation • Globalization • Evolution • Concept • Community • London • Organization • Social movement • Organization • Learning • Entrepreneurship • Organization • Computer security • Organization • Internet • DevOps • Communications protocol • Security • Network administrator • Security • Privacy • Technology • Penetration test • Systems engineering • Computer network • Vulnerability (computing) • White hat (computer security) • Vulnerability (computing) • Software • Computer network • Vector (malware) • Vulnerability (computing) • Computer network • Mitigating control (financial auditing) • Vulnerability (computing) • Application software • Security • LinkedIn •