How did security become an inseparable part of DevOps? DevSecOps argues that security measures must be integrated into every aspect of your software production process.
The birth of DevSecOps
The term DevOps was coined in 2008 and quickly spread like wildfire, with its embrace of agile environments that foster communication and the exchange of ideas within an organisation.
However, some of these practices were initially left behind a bit, and security was the reason why.
Security was never that great in old organisational siloed models either. Keeping security separate from development and operations permanently would have been disastrous, as it would have slowed the whole process down. Isolating roles and tasks to specific teams made communication and understanding hard. So security got brought into the fold, and term DevSecOps got coined.
What is DevSecOps?
DevSecOps is the collaboration between development, operations, and security specialists so they can work in unison. It solves two main problems: the first one being that separate security processes and tooling can become a roadblock to a modern continuous integration pipeline.
Secondly, sharing responsibility for security increases not only throughput, but also the quality of operations too, making security everyone’s responsibility. Because a chain is no stronger than its weakest link. And any member of your software production process who isn’t considering security in their everyday work is potentially a weak link.
The right mindset
Development, testing, quality assurance and last but not least, security can coexist with modern site reliability engineering practices, as well as modern bleeding-edge development processes.
In organisations, there are different risk matrices of internal and external threats. Some are related to employees’ well-being, hard assets, etc. When we bring security considerations to all responsible parties, including the entire build pipelines, every runtime defence and quality metric, we arm staff with both knowledge and tools. This will increase productivity while tremendously decreasing chances of mishaps and whatnot.
Everything comes down to having different tools and approaches in different phases of development.
The mindset should be: DevSecOps/Secops is not a final layer invisible to mere mortals, but an integral part of every step in your development cycle. It’s not a single perimeter around your apps and data.
You want to automate as much of it as possible, which also benefits auditing and version control. These are invaluable concepts for everyone who has done problem solving, or even anything at all in a project involving lots of different people who execute tasks in parallel.
Improve your posture
Let’s go further. DevSecOps means improving your posture, which boils down to visibility, insights and feedback.
Many existing concepts you are doing now have security implications. Say unit testing, peer reviews, incident playbooks. In this wonderful era of really innovative technologies of containers and microservices, even serverless, companies are enabled to write things that were simply not possible a decade ago.
Some of the change has come from the very notion that old ways of doing things simply don’t work anymore. Not so long ago, organizations had wan/lan divisions, meaning their corporate network behind the firewall is implicitly assumed safe. How wrong that was and is.
Now, new practices like zero trust architecture set things straight, and so we authenticate, audit and give least access privileges on every level.
An overhaul of IT infrastructure
The whole idea of IT infrastructure has undergone quite an overhaul in the past few years. Ideas like dynamic provisioning and cloud computing has really changed the way we do things. Most would agree this is for the better.
Speed, agility, and cost have been key drivers of this transformation. It does not mean things have become any simpler: on the contrary. Therefore automation brings predictability in technological developments which might otherwise lead to a world of bloopers.
Think of DevSecOps as a seatbelt
It’s highly likely that, given our society has grown used to house insurance, first aid kits, and seat belts, adding security to pipelines will one day become a matter of course.
If not mandatory, bringing security into the fold is at the very least a very smart thing to do. It will set you apart from the pack even before anything has happened. Good practices will increase quality and automation will increase productivity. It’s a safe bet that some day, some unfortunate event will take a full swing at your business, and you bet it will make a whole lot of difference to be prepared.
This is not security for security’s sake, nor even the good practice of automation, integration and collaboration. The bottom line for businesses, when it comes to DevSecOps, is that it is a proven way to mitigate risk.