About 15 years ago, a movement to foster greater collaboration between developers and operations began. This movement, known as DevOps, targeted the siloes that existed in the traditional software development model. Breaking down those siloes had a great result: greater collaboration and a culture of shared responsibility. Development and operations teams worked in greater collaboration side by side to shorten feedback loops between initial development and delivery and meet user requirements.
DevOps goes hand-in-hand with an Agile approach to software development, as both emphasize collaboration, communication, and improved workflows. But an Agile approach prioritizes collaboration between developers and product managers, while DevOps, once again, focuses more explicitly on collaboration between software developers and system operations specialists. While Agile frameworks emphasize iteration, through sprints and feedback loops, DevOps solutions tend to take place within the sprint, focusing more on automated processes to drive continuous testing and integration.
In simplest terms, the end goal of DevOps is the ability to release high-quality software and code updates quickly. But what does that look like in practice and how does an organization start incorporating security to their DevOps practice? Let’s walk through three actions that indicate an organization has successfully created a culture of DevOps and can start moving towards DevSecOps.
Tip 1: Ongoing objective checks are conducted
Automation is of particular importance to DevOps, which has a huge latent benefit from a cultural perspective. Because scanning and testing is automated, there’s no human that must play the villain and determine whether the output is up-to-par. Instead, DevOps creates a person-less entity for check-ins.
This removes personal politics from the workflow and ensures the right behaviors are enforced in a very objective manner. Instead of a lead developer having to point out a security shortcoming, for instance, an automated system can do so. Thus, organizations can do a digital version of the phone-wallet-keys check on an ongoing basis.
Tip 2: Security is being integrated throughout the entire development lifecycle
When the barriers between development and operations fall, feedback loops become shorter and more of the CI/CD pipeline can be automated. But as that automation takes place, security must be integrated into the process as early as possible and continually. This is usually referred to as DevSecOps. It’s a natural evolution of DevOps, as DevSecOps is also built on shared responsibility to meet user requirements while integrating security improvements through automated scanning.
Basically, the Sec in the middle refers to the building of fences, metaphorically, to guide developers in the right direction from a security perspective. Additionally, everyone involved should have the ability to identify vulnerabilities early and often. Finally, repetitive security tasks such as scanning, logging, and auditing should be automated. If these things don’t happen, security is likely to lag.
Tip 3: The complete supply chain is assessed
Integrating security into DevOps is important, but it doesn’t stop with a culture of shared responsibility or ongoing testing. Instead, security is an umbrella term. It can refer to a component of how software is developed (think individual workstation configurations), the security of the compiled output (as tested through dynamic and static code analysis), or the security of the software supply chain.
Increasingly, there are automated tools available for supply chain tracking and analysis. These tools allow teams to know every library and piece of software used in their build, where that software came from, and what software was used to build it. As supply chain attacks become more common, a true culture of DevSecOps entails assessing the entire software supply chain, monitoring it for updates regularly and testing it continuously for compliance.
The bottom line
Breaking down the silo between development and operations has evolved beyond novelty, and is now crucial to modern software delivery, but it can’t come at the expense of good governance. Removing the barriers between development and security can be done with the same evolution in tooling and culture that defined DevOps itself. Incorporating automated tooling for metrics collection and analysis at the intersection of digital and human process improves resiliency and simplifies compliance – a practice that lays at the heart of both DevOps and DevSecOps.
Learn more about what DevSecOps looks like in practice on Day 0 versus Day 2 in Blog 5 of our series, Software Lifecycle Development: Day 0 vs. Day 2 DevSecOps.