Fortunately, new approaches to managing risk are also evolving to meet the challenges and bring forward-thinking technological and operational innovation to cybersecurity. DevSecOps is a mindset advocating just such an approach.
Executive summary
What is it?
Like DevOps, DevSecOps seeks to achieve greater efficiency and productivity through team collaboration, but the DevSecOps approach incorporates security principles.
Why does it matter?
DevSecOps practitioners seek to work alongside developers at every step of the way, unlike traditional security approaches, which can be slow and come along too late in the deployment process.
Who does this affect?
DevSecOps is primarily comprised of security experts and technological workers, but all users who run or rely upon software are affected by security principles, good or bad.
How do I implement it?
DevSecOps concepts require a gradual shift to company culture and infrastructure. The core concepts are available via the DevSecOps site as well as a LinkedIn group and social media outlets.
What is DevSecOps?
DevSecOps is similar to DevOps in that both seek to achieve better results through greater operational focus and communication, but in this case the framework involves security principles. DevSecOps represents a mentality as promoted by a group of security practitioners. Their philosophy involves building security into applications so it’s baked in rather than applied after the fact – or worse, retro-fitted on. TechRepublic covered the DevSecOps approach earlier in 2017 in an analysis of some of their other concepts which include threat modeling, risk assessment, automation of security tasks and an emphasis on team collaboration. In short, security principles and communication should come into play every step of the way when building applications.
The DevSecOps philosophy was created by security practitioners who seek to “to operate and contribute value with less friction.” These practitioners operate a website which details their approach to better security, explaining that “the goal of DevSecOps is to bring individuals of all abilities to a high level of proficiency in security in a short period of time. Security is everyone’s responsibility.”
The DevSecOps manifesto involves principles such as building a platform of least-privilege access, focusing on science and avoiding fear, uncertainty and doubt (FUD), collaboration, consumable and business-driven security services, team testing to analyze potential exploits, continuous security monitoring and sharing intelligence.
Why does it matter?
The DevSecOps community promotes direct action to ferret out potential issues or exploitable vulnerabilities. In other words, they think like the enemy and perform similar tactics such as attempting penetration testing to determine exploitable vulnerabilities which need remediation.
DevSecOps differs from traditional security methods which tend to be more bureaucratic, involve mandates from a central authority, and can be monolithic or ‘one size fits all’. These factors can actually hinder security measures as they often focus on insignificant hypotheticals versus actual real-world threats. For instance, rather than focusing on how an exploit theoretically ‘could happen’ if certain conditions occur but the impact would be low, address a vulnerability which can be demonstrably leveraged to gain root access and is quite likely to lead to a system breach if left untended.
A blog post on the DevSecOps site lays out the core principles and philosophy of the community:
Another post encourages security teams to “eat your own dog food” and utilize the same security controls and processes they build into software code. For example, using multi-factor authentication which requires hourly logons. The goal is to get familiarized with the challenges and pain points:
DevSecOps offers projects to help improve and respond to security issues. For instance, they provide a list of tools as contributed by their community. There is a free DevSecOps bootcamp you can participate in to hone your skills or just learn more concept of secure coding. You can review some interesting security presentations on their site as well.
Who does it affect?
DevSecOps principles are intended to affect developers, technologists and security professionals – in short, development and operations personnel. However, they can also assist executives, managers and other leaders who need to improve their security focus. Whether you are responsible for designing secure code, managing the systems which run it, or securing your corporate environment, DevSecOps can provide the insights and information needed to weather today’s security hazards. It’s free to participate and all information is open-source.
How do I implement it?
DevSecOps requires an increased focus on collaboration (both within and between teams), automation and building security as you go. Adopting these principles is a good first step to implement this mindset. Like DevOps itself, this is not a culture which can be immediately applied, but will require gradual changes as the various concepts are applied within the organization and existing frameworks are replaced with new practices. To join the DevSecOps community, check out their LinkedIn group. You can follow them on Twitter and Facebookas well.
