If you’ve never heard of the term DevSecOps, it stands for development, security, and operations. DevSecOps is a natural extension of DevOps, which aims to expedite the delivery of high-quality software by introducing automation, agility, tight feedback loops, and cross-functional collaboration into the software development lifecycle (SDLC).
DevSecOps leverages these same philosophies to achieve the goal of making software development more secure (and security testing more efficient). A successful DevSecOps implementation:
- Integrates security testing into the CI/CD pipeline and throughout the SDLC (instead of something that’s only done toward the end of it)
- Makes security everyone’s responsibility: For example, with the right tools, developers should be able to view and address security issues as part of their native workflows and environments
- Automates vulnerability discovery and remediation with DevSecOps tools like software composition analysis (SCA), DAST, SAST, and IAST
DevSecOps practices enable developers to leverage automated tools to find issues and vulnerabilities in real-time, as they arrive, instead of being notified at the last minute. They also free security teams to focus on big problems and train developers on secure coding strategies.
RELATED: Application Security for Developers: SCA, DAST, and GitHub Actions
Why Adopt DevSecOps?
DevSecOps philosophies stand in contrast to traditional application security strategies.
In earlier generations of software development, when discrete releases were typical, security teams had a manual point of control by the end of the SDLC to review code and make sure the product was free of major vulnerabilities. Even once tech companies started adopting DevOps principles, security reviews often took place in the latter stages of the SDLC because early security testing tools were not developer-friendly; developers want command-line applications that can be automated and easily integrated with the rest of their stack.
An unfortunate consequence of not having security integrated into the entire CI/CD pipeline is that developers may just throw the problem “over the wall” given the pressure to ship features and updates as fast as possible. However, discovering vulnerabilities in the latter stages of the SDLC can be very costly, and this atmosphere doesn’t lend itself to a collaborative culture between security and development.
Both teams have the same goal of shipping a great product, yes, but they often have different modus operandi: development wants to move fast, while security has to slow everything down to make sure products are only shipped when they are secure.
DevSecOps bridges this gap by extending the continuous paradigms from DevOps to security, making it an active component of the CI/CD pipeline with automated testing.
Ultimately, implementing DevSecOps principles is one of the most cost-effective ways to make sure your product is secure and reduce the burden on the security team — while still shipping software at a rapid pace.
Best Practices For Building a Strong DevSecOps Pipeline
Of course, it’s one thing to talk about integrating security throughout the software development lifecycle. It’s quite another to actually implement the strategies and tools that facilitate shifting left. (Shifting left refers to the DevSecOps principle that security testing should be conducted as early as possible in the SDLC.)
Below we’ll go over best practices that will help you embrace DevSecOps principles and build a strong pipeline.
1. Planning and Training
Careful planning is imperative for a successful DevSecOps implementation. Injecting security into an existing pipeline is as much of a cultural change as it is a technical one.
In the past, each team — development, operations, and security — operated in a silo, each with their specific tasks. Changing the way things work may invite resistance as is the case any time an organization undergoes major changes.
However, it’s important the teams agree on threat models, security controls, and also establish a plan to train developers on secure coding, which may not have been a priority in traditional application security workflows.
2. Embrace Automation
Automation is one of the main tenets of DevOps, and it’s no different for DevSecOps. It’s unreasonable to expect a security team to manually review every release given the speed at which companies now push code into production.
For context, in his book “The Phoenix Project,” Gene Kim mentions that Amazon and Google make thousands of commits per day. The manual processes from the past simply can’t keep up; they must be automated.
A company that embraces automation not only reduces technical overhead but equips its development team to correct problems before they snowball into much bigger ones. By determining procedures and policies upfront and implementing automated security checks, developers receive warnings as early as possible, ensuring that the product advances through each stage of the release cycle much more reliably.
3. Check Your Dependencies For Vulnerabilities
To keep up with the market’s pace of innovation, developers don’t write much proprietary code at all anymore, and virtually all modern applications include at least some open source.
Leveraging open source code allows organizations to meet customers’ demands for faster product improvements, but it doesn’t come without risks.
You may, for example, inadvertently use dependencies that have vulnerabilities that put your organization at risk; alternatively, the dependency doesn’t have any vulnerabilities now, but three months down the road it stops being actively maintained — at which point it’s just a matter of time until an exploit is discovered.
The reality — given the sheer volume of different software components in modern applications — is that no matter how competent your security team is, it’s impossible to be on top of every dependency (and the deep dependencies, i.e, the dependencies’ dependencies) used in your application. If you don’t have tools in place to notify you as soon as those issues occur, it may be too late when you identify them.
This is where software composition analysis (SCA) becomes incredibly valuable. SCA tools scan open source components for security vulnerabilities and license compliance data.
FOSSA’s SCA solution is supported by a dedicated team of security researchers that manage, curate, and update our vulnerability database. Our tool integrates with multiple IDEs and notifies developers of vulnerabilities in real-time. You can fine-tune our filters to create granular security policies, enforce them automatically, and have security stats in real-time without bogging down your developers.
4. Introduce License Compliance Checks
Although it’s not a security issue per se, license compliance is another area related to the use of open source software where companies incur risk.
Open source dependencies have different types of licenses. And, OSS users that don’t adhere to the terms of a given license may face legal risk. (For example: Stockfish vs. ChessBase.)
Of course, managing open source licenses when you’re using dozens or even hundreds of dependencies can be tough if you don’t have automated controls in place. SCA tools scan your codebase for open source components and flag anything potentially problematic.
Open source license compliance is yet another reason why shifting left helps companies develop software more quickly. Without a tool that flags potential compliance issues in the early stages of the SDLC, developers might move forward with a particular component only to realize later that they will have to rewrite the code.
On the other hand, automated tools that surface licensing conflicts in real-time enable developers to take ownership of the situation and perhaps choose an alternative library. Or, perhaps, if they really need that library, they can contact the legal department and collaborate directly with them before committing a lot of time to a solution that may never see the light of the day.
As agile methodologies continue to increase in popularity, the percentage of organizations that adopt DevSecOps principles will only continue to grow.
DevSecOps In The Future
In a world where organizations can suffer long-lasting reputational damage from security breaches, there is immense value in implementing proper security checks without demotivating developers. DevSecOps is a natural and necessary step of the continuous paradigm to ship quality software on time and remain competitive in the market.
For more information on how FOSSA can provide the right tooling for your organization’s DevSecOps implementation, get in touch with our team today.