Moving from DevOps to DevSecOps: The Path to Security

Moving from DevOps to DevSecOps: The Path to Security

Security is now being analyzed during the development process to account for every variable.

  • By Jeff Keyes
  • May 20, 2019

Given the fact that software vulnerabilities cause the majority of data breaches, security must be a top priority for all organizations. An app feature that crashes unexpectedly is guaranteed to frustrate users, while a security vulnerability that facilitates a million-dollar data breach will have a profound, crippling impact on the company as a whole.

Security has changed drastically over the years, particularly its cost as threats rise in number and sophistication. Security is now being analyzed during the development process to account for every variable. If a bug is found at the end of the process, it is expensive to fix, and teams have to re-run and reevaluate their processes, causing delays in delivery. A security bug may also require “re-architecting,” which will require an even larger change to the functionality.

DevSecOps is a philosophy streamlines these processes by incorporating them alongside the devleopment process to help ensure that breaches do not happen. It enhances the collaboration between development and operations teams by placing security at the heart of the process and creating faster more efficient ways to safely deliver code in an agile architecture. Put simply, DevSecOps involves adding security to the existing DevOps process, whereby automated tests, non-functional requirements and compliance gating are incorporated into the standard DevOps cycle.

So how can organizations implement a fully functional DevSecOps philosophy?

Shift to the Left

Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the development process from the beginning. To do so, security cannot be the responsibility of a single team or person, but rather a shared initiative across IT operations, security and development teams. By making this shift in the software development lifecycle, the process will run both quickly and securely.

If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this shared knowledge, pipeline phases and gates need to be incorporated. By breaking down delivery into phases and gates, teams can include threat analysis as an iteration to make sure it happens, and they can incorporate non-functional requirements into the product features.

By adopting this “shifting left” philosophy, development will not only be accelerated, but it will also limit potential security threats in the future while addressing existing threats at the least cost with minimal damage to the platform.

Apply Continuous Automation

Apply continuous and focused automation such as linting is essential to the success of the DevSecOps environment. Automation, when woven into the software development life cycle from the start, can reduce the friction that occurs between security and development teams by quickly addressing existing and potential concerns at the lowest cost.

Adding automated security checks earlier in the process enables developers to work on code that is current, rather than doing a final threat push on 3-sprints of code where the developers are looking back on code that was written more than six weeks ago, which can be a difficult switch of context. By eliminating this challenge, both quality and hardening are built into the code far more effectively than to adding these in at the end of the process.

Incorporating Governance

Governance and DevOps are often at odds over how they make sure that there are no security issues before they go to release. Release orchestration tools can be introduced to solve this conflict, and criteria gates can be added to make sure that governance and DevOps work together.

When security testing is conducted in the development process is an important consideration in terms of lessening impact as well. Addressing security issues in completed code is much more cumbersome, and expensive, than addressing them while still coding. To combat this, governance also needs to be added into the beginning of processes so that it can be tracked throughout the entire lifecycle. Security teams can audit, monitor and coach the progress throughout the lifecycle as well.

Harden Your Microservices

In the world of legacy software, the number of interactions with other sources is not very high. In microservices, it is the opposite, and there is an added need to make sure all of these interactions are communicating with each other in a secure way.

Single-function modules that contain well-defined operations and interfaces are essential for successfully implementing a comprehensive DevSecOps approach. By constantly monitoring, upgrading and tweaking the microservice-based infrastructure, organizations will be better equipped for new developments.

There needs to be a concerted effort to stop leaving technical debt in the form of insecure computing. If you don’t have time to do it securely now, when will you? By going down the road of fully implementing DevSecOps philosophies, organizations will be armed with massive economic and technical advantages over less secure organizations.

To be able to keep pace in the constantly evolving landscape of software delivery in 2019, DevSecOps adoption is imperative. Failing to implement these philosophies will undoubtedly be the demise of many, and without doing so, they will no longer be relevant and competitive in the industry.

Featured

  • Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

    Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now

  • AI Used as Part of Sophisticated Espionage Campaign

    A cybersecurity inflection point has been reached in which AI models has become genuinely useful in cybersecurity operation. But to no surprise, they can used for both good works and ill will. Systemic evaluations show cyber capabilities double in six months, and they have been tracking real-world cyberattacks showing how malicious actors were using AI capabilities. These capabilities were predicted and are expected to evolve, but what stood out for researchers was how quickly they have done so, at scale. Read Now

  • Why the Future of Video Security Is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reasons. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. Read Now

  • UL Solutions Launches Artificial Intelligence Safety Certification Services

    UL Solutions Inc., a global leader in safety science, today announced the launch of artificial intelligence (AI) safety certification services, enabling comprehensive assessments for evaluating the safety of AI-powered products. Read Now

  • ESA Announces Initiative to Introduce the SECURE Act in State Legislatures

    The Electronic Security Association (ESA), the national voice for the electronic security and life safety industry, has announced plans to introduce the SECURE Act in state legislatures across the country beginning in 2025. The proposal, known as Safeguarding Election Candidates Using Reasonable Expenditures, provides a clear framework that allows candidates and elected officials to use campaign funds for professional security services. Read Now

    • Guard Services
Most   Popular

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.