Freshen up how you build security into your software pipeline. In this article, we’re setting you up for DevSecOps success with the seven core principles:
We’ll also set the stage with a bit of DevSecOps overview and then point you on your way with some best practices for implementing DevSecOps. Let’s get started.
DevSecOps is an evolution of the DevOps methodology. Its goal is to enhance the way developers, IT operations, QA and InfoSec teams approach security in the software development lifecycle (SDLC). Despite the focus of DevOps teams toward improving software quality, security often remains an afterthought.
As we know, security serves a critical goal toward software quality that must be baked into the SDLC process — early and thoroughly all phases of the lifecycle. So, we can think of DevSecOps as an integration of culture, responsibility, tools and best practices for security throughout the SDLC pipeline, across all activities:
DevSecOps doesn’t just provide enhanced application security — it front-loads considerations like security risks and vulnerabilities much earlier in the development cycle, helping to avoid surprises later.
Because DevSecOps relies heavily on automated security tools, its ultimate value is generated from the integration of security into the DevOps continuous development process, essentially making it possible for the organization to embrace “continuous security.” As security threats continue to evolve in their sophistication, DevSecOps provides a strong tactical methodology for mitigating them, giving security testing a critical and much more visible role in the software development life cycle.
Finally, DevSecOps enables a centralized understanding across the entire team development environment — QE, DevOps, SRE and security — giving teams the ability to align on work processes and objectives without disrupting the workflow.
Not sure what DevSecOps might mean for your organization? Here are some areas that it can absolutely support:
And with that background, let’s take a look at how we actually implement DevSecOps.
So, just how do we integrate security? Let’s review the key principles of DevSecOps that teams should be working into their SDLC workflows.
DevSecOps teams work with cybersecurity experts early during the SDLC process, a major shift from traditional DevOps. In DevSecOps, cybersecurity becomes a shared responsibility of all members of the DevSecOps teams. That means that software design and implementation follows security best practices, considering areas like:
When shifting security left (towards the beginning of the SDLC), every software build is configured for security — optimized for performance, cost, time to market and other key business goals. This enables the team to identify early the security risk and exposure, enabling a secure build for every integration into the CI/CD pipeline.
(Read more about shift left security.)
Adopt end-to-end automation for extensive testing and CI/CD processing. Within DevSecOps, automation is adopted as a strategic and well-informed decision— instead of merely automating any and all manual processes. After all, automating waste processes only compromises software quality.
In such cases, any rework to address quality issues tend to come at the expense of security performance. This practice goes against the concept of DevSecOps.
Instead, DevSecOps teams ensure that cybersecurity testing is thoroughly integrated into the automation processing, checking for:
The practice of Continuous Testing is extended by introducing automated testing functions that analyze build quality for security vulnerabilities. Within DevSecOps, Devs and QA teams collectively adopt the responsibility for improving software quality by continuously testing every build — in fact, the process is integrated into the CI/CD pipeline. These include:
You can also develop a threat model and establish security policies early during the SDLC process. Automated remediation tools may be adopted to address frequent vulnerabilities that are introduced as Devs and QA teams follow rapid release cycles and fast sprints at the pace of DevOps.
(Learn about autonomous testing, an emerging technology that harnesses ML to create and drive software testing.)
Organizations are expected to make it easier for DevSecOps team members to collaborate and communicate. In a traditional enterprise IT setting, Devs, QA, Ops and InfoSec teams tend to work in silos, each team adopting their own policies and objectives. These goals are often conflicting and ultimately require a superseding policy that dictates the priority objectives.
From a DevSecOps perspective, this is impractical: An unknown consequence, security malpractice or un-informed decision can have a lasting negative impact on the overall software quality and performance.
To make it easier for Devs and QA teams to configure and develop customized automation workflows for security testing, users can treat security policies, procedures and controls as code.
Security as Code ensures that continuous and automated security testing does not introduce unnecessary cost and delays to the SDLC processing. Security testing processes run alongside functional testing within the automated CI/CD workflows — Devs and QA teams can automatically work on the results and improve security performance with the programmable approach to security, as the tools, metrics, testing scope and configurations are reused.
The testing procedure also follows consistent policies, which are agreed upon during the security planning and initial design phase.
One of the most important goals of DevSecOps is to deliver insights that help create a reliable environment for achieving the desired security performance of the SDLC pipeline. In order to achieve this goal, DevSecOps follows three characteristics:
The work that sums up these concepts is observability. Learn more about the benefits of Observability and Explainability in SDLC in this blog post by Splunker Sandeep Kampa on DevOps.com.
Since security threats continue to evolve and new development sprints can be exposed to different security risks, DevSecOps aims to iteratively improve the security capability by incorporating feedback on a continuous basis. This feedback comes from…
Make provision in the beginning to ensure that security related feedback can be incorporated across iterative sprints and release cycles.
(Track your security operations success with these metrics.)
OK! These concepts clearly highlight just how important it is to build security into the entire software development lifecycle. So, why are dev teams still struggling so much? Some common obstacles that teams experience are:
DevSecOps is part strategy, part toolkit, part training and part cultural shift. That means, unfortunately, there’s no universal playbook on how to “do DevSecOps”.
Still, armed with the seven core concepts and these best practices, you’ll be well on your way!
By following DevSecOps principles, enterprise IT teams can achieve two important goals: speed of SDLC release cycles and reliable software delivery in context of the evolving security risks, changing user expectations and strong regulations applicable to different industries and geographic locations.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.