Batoi Research Group 
Why Do We Need DevSecOps
In the past, when development cycles lasted months or even years, incorporating security into the development cycle wasn't a priority. That's not to say security itself wasn't a priority, but rather that security audits were something that happened only in the final stages of development. However, the days of long development cycles are over. Instead, effective DevOps is about rapid and frequent development cycles that span days or weeks.
Here's what a DevOps cycle looks like today:
-
The developer creates the code.
-
The code is tested via automated tests.
-
A new version of the code is built.
-
The new code is deployed to the test environment.
-
More automated tests.
-
If everything looks good, the code is deployed into the production environment.
Essentially, DevOps is all about fast, optimized, and automated development that pushes out new code as soon as it's ready.
But can you see the problem with the DevOps cycle? You guessed it -It doesn't factor in security. Of course, security is always important, but it's particularly critical for any apps that deal with sensitive information like credit card details or personally identifiable information (PII).
To address the security hole and combat any potential vulnerabilities and threats, the security team must conduct a security audit before the code goes into the production environment. Essentially, the security tests need to happen between steps 5 and 6 of the DevOps cycle.
Here, the security team is looking for critical flaws like any licensing issues, whether the developers used outdated or risky 3rd party libraries, whether passwords are exposed, whether there are any misconfigurations, and so on. This process can take anywhere from a few hours to several weeks, depending on the complexity of the application.
Once the team completes the security tests, the developers revisit the code and make any necessary changes. However, due to the rapid nature of DevOps cycles, many newer versions of the application might now be awaiting review. In other words, the security audit acts as a bottleneck to the DevOps cycle and delays the release of the end product by several weeks or even months.
How Does DevSecOps Fix the Security Bottleneck Problem?
The DevSecOps approach integrates security into the development process. Essentially, instead of thinking of security as something that happens at the end of the cycle (after a new feature has been built and tested), it tackles security from the beginning.
How Does DevSecOps Work in Practice?
-
Instead of security being an isolated task conducted by the security team, developers also become responsible for security.
-
The security team becomes an advisor for the development and operations teams, helping them manage security as they work.
-
The security team creates security policies and selects automated security tools that the DevOps team can use.
-
The security team then trains DevOps staff on how to interpret the outputs of these tools so they can fix the issues themselves.
Tips for Successfully Implementing DevSecOps
Bringing Security and Development Together
In the old way of doing things, the security team acted somewhat like a cyber police force, stopping development in its tracks. This created tension between developers (who just wanted to see their hard work go live) and security (who wanted to safeguard the company). Essentially, security and DevOps had different goals and were often out of sync.
In a DevSecOps approach, the teams work together, sharing responsibilities and victories. However, before you can get to that stage, any broken relationships need to be mended. Therefore, investing in DevSecOps training that unifies the two teams is critical to success.
Understand that DevSecOps is Cultural
While tools and techniques play a crucial role in DevSecOps, above all, it's a cultural change. Companies must be patient with allowing this change and addressing any challenges that arise along the way. Additionally, business leaders should engage with the appropriate teams and try to get everyone on board. The transition will be much easier if the DevOps and security team sees the value in adopting DevSecOpser.
Security Must Fit into Development, Not the Other Way Around
Some changes in ways of working are inevitable with any significant cultural evolution, but that doesn't mean adapting processes should be equally shared among teams. Typically, the development cycle will remain mostly unchanged, and the security team adjusts its practices to align with the DevOps workflow.
