What is DevSecOps?
In the Software Industry, DevSecOps is a culture shift that integrates security practices within the DevOps process. DevSecOps requires creating a ‘Security as Code’ culture with a flexible collaboration between development and security teams. The security processes are then automated and handled by the development team itself.
How can it improve application security?
In traditional software development, developers release a new version of their applications every few months or years in order to improve quality assurance and security testing. However, the rise of public clouds, containers, and the microservice model had a direct impact on software development, with new features and code continuously introduced into production at a rapid pace. These processes have been mostly automated, allowing companies to innovate faster and stay ahead of the competition.
The DevOps culture represents a shared identity between development, testing, and operations teams, as well as a recognition of common goals. This allowed a lot of software development, yet security is often behind and not able to keep up with the new codes. DevSecOps tries to be the solution that can include security testing into the continuous integration and continuous delivery pipelines, as well as enable development teams to do the testing and fixing internally.
In DevSecOps, the development team is operating the security testing. Therefore, any issues found during that testing are managed and fixed by that same development team.
There’s no separation between development and security in DevSecOps.
Integrating testing tests can be a challenge as developers must learn to fix security-related bugs on their own and it can take time. One way to do it is to get an expert in application security within the development team, even though the goal is to have the entire team knowing secure programming practices.
The development team can still, however, contact security testers to have an expert opinion, as some tasks might require security professionals and manual testing. But this should be a special case, and not having an entirely different team focused on security.
This integration between development and security also needs to happen at the management level in order to be completely successful. Otherwise, there is no alignment from top to bottom and it can result in management-level clashes.
To achieve that, some new tools have been created by developers for developers and were integrated into the development environment and CI/CD workflows. Over the years, traditional application security vendors have changed their products to adapt to both CISOs and developers. Certain providers of cloud-based services designed for developers – GitHub for instance – started to include security testing directly to their services.
More and more companies have then started to integrate automated security tests in the CI/CD pipelines, although it can be a slow process.
In time, DevSecOps should be able to reduce the number of serious vulnerabilities that exist in code.