DevSecOps as an extension of DevOps
A couple of months ago we’ve heard about Docker and vulnerabilities found on some of their images. It’s easy to imagine what could happen if one of our applications would be running on one of those images.
Sometimes the inexperience or the times to deliver decide us to use one of the images available on the docker’s site, but do we really know what are we using? Sometimes It's reduced to a faith thing. But having the right tools we could forget about that kind of issue, or at least, we could have a way to detect if our image has suffered a leak or it’s exposing us to vulnerability.
DevSecOps is the natural extension of DevOps and Agile cultures to incorporate Security as a main concern. It's essential goal can be defined as "Incorporate security awareness in the whole value delivery pipeline, from ideation to implementation to delivery and monitoring". As with DevOps and Agile movements, this goal is interpreted and implemented as lean as possible, minimizing bureaucracy and maximizing delivered value to the clients.
While our world becomes more and more information-based, the security of our customer's information is increasingly more valuable. How we take care of our customers' information can be a competitive advantage or take us out of business (see this article). CEOs and founders are eager to pay 20% more AND changing providers if grant a higher level of cyber-security, according to a very recent study by Continuum.
According to this Cybersecurity Ventures report, a ransomware attack will be carried out on a company every 14 seconds in 2019 what represents an economic cost of almost 11.5 billion dollars for the companies.
DevSecOps efforts are guided to unite application development, IT operations, and security teams in the endeavor of determining possible vulnerabilities not only over the application and the data but also over the infrastructure. It works in this way through its core principles, as defined by https://www.devsecops.com:
Leaning in over Always Saying “No”.
Data & Security Science over Fear, Uncertainty, and Doubt.
Open Contribution & Collaboration over Security-Only Requirements.
Consumable Security Services with APIs over Mandated - Security Controls & Paperwork.
Business Driven Security Scores over Rubber Stamp Security.
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities.
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident.
Shared Threat Intelligence over Keeping Info to Ourselves.
Compliance Operations over Clipboards & Checklists.
This list has different principles, some oriented to implementation (like principle 4, 6 and 7), organizational principles (like 3m 8 and 9), and "human" principles like 1 and 2. From this author's point of view, this means a mature understanding of the challenges we need to face, something beyond Agile, which defines its principles at a much less practical level.
To understand how DevSecOps should be implemented over a value delivery pipeline we will explore the DevSecOps best practices within an organization:
Ease code analysis: deliver code in small chunks so vulnerabilities can be identified quickly.
Change management: increase speed and efficiency by allowing anyone to submit changes, and determine whether the change is good or bad afterward.
Compliance monitoring: be ready for an audit at any time, which means being in a constant state of compliance including gathering evidence of GDPR compliance, PCI compliance, etc.