What is DevSecOps and does your organization need it?

DevOps, whose principle is to ensure collaboration and communication between Development and Operations, is becoming more and more widespread, and rightly so. It's a framework that enables better practices and faster delivery of more value. Hence its success. However, not everything is rosy and over the years, shortcomings have appeared, particularly in the area of security. Of course this is a component that was part of DevOps: better delivery also means secure delivery, but since cyber risks were minimal for a long time, many teams have let their guard down on this front. The resurgence of cyber threats and the escalation of damage (e.g., with systems completely locked down, forcing companies to operate with paper and pencil), has called everyone to order.

Why DevSecOps?

DevSecOps was developed to provide organizations with an approach that best integrates security and compliance. Indeed, the idea behind DevSecOps is to incorporate security issues throughout the development process, instead of waiting for the final delivery. This avoids having to go back to the drawing board, just before release, if flaws are detected in an otherwise perfectly functional software or application. Better security means more productive teams and reassured customers.

While there is no such thing as a perfectly secure system, DevSecOps helps maintain agility by integrating security into short development cycles. And the less time you wait to fix a security issue, the less it costs.

What are the main principles of DevSecOps?

First of all, to make it easier for Dev teams to manage security, especially since they are not made up of security experts. There are two aspects to this:

• Governance and protocols: since the weakest link is (almost) always human, starting by setting up governance and protocols is a good way to make everyone more efficient. This means clarifying roles and permissions and defining action plans in case of risk. Even if it's just making sure everyone knows what to do when in doubt (whether it's what to do or who to contact). No one wants a team or a member who does nothing or makes the wrong decision because they don't know what to do. This also implies defining indicators to measure progress.
• Automation: since not everyone can have security expertise, automating a certain number of security-related tasks helps to fill this gap. This also limits human errors. Automation will make sense on the components at risk (networks, databases, applications, etc.).

These two aspects require a clear vision of the stakeholders and their respective roles.

How do you automate security in DevSecOps?

By placing it upstream of the development process and automating the execution of security controls. Risk assessment must be part of every step of the process:

• Planning -> threat models
• Development -> code review
• Compilation -> static analysis
• Testing -> dynamic analysis
• Deployment -> compliance
• Operations -> Secret Management
• Monitoring -> User behavior analysis and system usage analysis
• And we start the DevOps loop again.

Safety is thus distributed and becomes everyone's business, not just one expert's.

The difference between security and compliance

Quick reminder:

Security refers to anything that could be a vulnerability that could be exploited by bad people.

Compliance is the fact of respecting standards imposed by organizations and/or governments, generally for security purposes.

To conclude on DevSecOps

It is clear that the fight against cyber attacks must be a priority for companies, for efficiency, costs, reputation and therefore survival. DevSecOps allows to reinforce the security and compliance aspect by integrating with DevOps practices already in place.

In doing so, the entire software chain is more secure, costs are reduced because the issues are smaller because they are dealt with earlier, opportunities for hackers are rarer, and processes are repeatable and adaptive.

To go further: