DevSecOps, an integration of security best practices with traditional DevOps processes is well positioned to ensure appropriate security principles are present throughout the software development lifecycle.
Just as DevOps encourages developers to be more operationally minded and ops teams to leverage developer techniques such as automation, DevSecOps encourages all teams to keep security as an always-present concern and helps organizations to build higher quality, more secure, software faster and more effectively.
It Starts with DevOps
DevOps helped automate operations through technologies such as Infrastructure as Code and Configuration as Code. Not only did it allow infrastructure to be defined in terms of code, it also brought good practices such as version control and managed continuous integration / continuous delivery (CI/CD) to how infrastructure is defined and managed.
From a governance and compliance perspective, this also means the infrastructure is traceable back to business requirements. It gives the CISO a strong, evidence-based perspective into the production infrastructure hosting their critical applications. This approach alone is a significant boost to operating a secure environment.
Adding the Sec to DevOps
As we fold in security, we can introduce Security as Code as well. This allows us to define everything from compliance policies to firewall rules and even how automated security testing tools are incorporated into the software build and deployment pipelines. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) have long been part of a secure software development lifecycle.*
DevSecOps helps bring the management of these products into the process.
The build and deployment pipelines which execute the tests and gate progress based on the results are also part of the coding process. Gated deployments ensure standards are met before involving later stages of the process. DevSecOps gives us a code-first view from end-to-end on how software is developed, built, tested, secured, and deployed.
As the technical implementation of DevSecOps is within the realm of the software development team, it typically falls under the jurisdiction of the CTO or wherever the product team lives. If the CISO is organized following modern recommendations, they will be outside of this organization. While the CISO’s independence is ideal, it also means they have little authority over how a DevSecOps practice is implemented. However, the CISO should be one of the biggest advocates of having a strong DevSecOps practice.
DevSecOps is designed to give them a seat at the table. It’s an opportunity for security concerns to be “shifted left” – all the way back when user stories are written. It allows the CISO to not just be the “Office of No” denying a deployment, but a partner throughout the lifecycle, enabling faster, more secure software delivery.
It’s a Partner Approach
A partner approach benefits the risk perspective of the modern CISO.
Delivering software is risky. If an exploitable vulnerability makes it into production, the entire business is at risk of significant losses. A single security review at the end of a development process is high risk as well, as it encourages “check the box” compliance.
The results of SAST and DAST scans become the only threshold of whether something is secure enough to deploy. Anyone who has written software knows these products are not fool-proof and sometimes you have to write software to fool their false positives. So, the CISO advocates for DevSecOps to ensure security is omnipresent.
Stories are written with security in mind. Developers write code knowing best practices and security goals. Tests are run for performance, quality, and security. The product team has a high degree of confidence that by the time it’s deployed, the right steps have been taken. The risks are managed and reportable when following DevSecOps principles.
The CISO’s Bottom Line
As a CISO, if your company produces and deploys software, you should incorporate DevSecOps into your risk management strategy. You should help guide the selection of good security technology that enables it. Your team should be a primary contributor in implementing the Security as Code required to correctly configure and operate the DevSecOps systems.
By doing so, you will help your product and technology teams deliver more secure software faster and increase the value the software can provide to the business. And hopefully, this will give you more margin in your day and money in your budget to secure the other parts of the business, too!
