At one time, the waterfall model was used in software development: the process was fractionated into different linear phases, with phases having different tasks and objectives and only commencing once the previous phase was over. But to improve the delivery process, more efficient solutions had to be found. So after the waterfall came “agile”. Agile methodology brought a more iterative and collaborative software development life cycle (SDLC), which was cyclical, rather than linear.
While agile did bring many changes and improvements, it’s been two decades since we were introduced to this methodology, and in the fast-paced software development landscape, it’s unable to deliver the same precision it once had, at least on its own.
Now the focus has been shifted to DevOps, a methodology of integrating development, QA and operations, all focused on improving the frequency of the process.
However, with automation and collaboration at the core of DevOps, security can be forgotten during SDLC. This is why we need to consider a different approach, one that isn’t so drastically different from its predecessors (as incomparing DevOps to agile), but one that works on changing priorities while highlighting security in software development. This different approach is DevSecOps.
Today we’ll give you an overview of what DevSecOps is, what its benefits are, and a couple of best practices to give you a better grasp on how you can start building more secure applications.
What is DevSecOps?
Usually, when an app is near its release, that’s when code reviews and penetration testing take place. This allows uncovering any security flaws lurking in the application. Discovered vulnerabilities are dealt with before the application is released.
While security testing with code reviews and penetration testing are important for application security, the real problem is their timing. As we touched upon briefly in our OWASP deep dive post, when security is brought on too late in the SDLC and security tests occur just as the application is planned for release, difficult decisions often need to be made. Questions arise as to applying a hotfix, delaying the release, or even releasing as is and fixing the flaw after the release. As you can probably tell, none of these courses of action are ideal.
DevSecOps is a cultural shift left that aims to integrate security into the SDLC from the very beginning and into the DevOps pipeline. This helps organizations tend to security issues earlier, before they can become real threats. And know that when we say “shift left”, we’re referring to the different stages of the SDLC, and putting security at the very start— or more “left” in the process.
It works to integrate security practices, knowledge and tools into software development. The purpose of DevSecOps is to ingrain a mindset where everyone is responsible for security, and help bridge the gap between two concepts that might seem too strongly opposed—speedy releases and secure code. But when you empower your developer team with the knowledge, practices and essential tools, that really allows everyone to be responsible, respond to security issues faster, and in turn make the products safer. All without having to dwell on why those issues have led to a data breach. Imagine it just as the SOC team, but on the code side.
With the DevSecOps approach, every change to the code is reviewed and run through a number of security tests before it’s accepted. If any flaws are uncovered, they are sent to developers to be addressed on the spot, so there’s no slowing down the delivery process and any critical issues are resolved before they can pose any real danger.
Another pillar of DevSecOps is automation. Automation is the drive behind DevSecOps, and with it you’re able to run tests easily at every stage of the pipeline. What’s important to note here is that DevSecOps doesn’t aim to replace traditional security testing, as the security testing that occurs at the end of the SDLC is still important, but now it’s not the only security testing that takes place. Think of it as more of a final “green light” to push the application into production.
DevSecOps does, however, bring some changes to the traditional security testing and software development process. It ensures that security requirements are properly documented and executed, that security is built into the design of applications and that security is one of the first things considered before any additions or changes are made to the codebase.
Benefits of DevSecOps
Integrating the DevSecOps approach into organizations requires changes in mindset, management, processes and tools. This requires resources and time, which tells us why a number of organizations still haven’t adopted this philosophy. And while DevSecOps isn’t a perfect solution (is there any, really?), organizations that do adopt this approach can expect many advantages:
Increased speed of delivery
While it might seem counterproductive to add more steps into each phase of SDLC, implementing DevSecOps will actually improve the speed of delivery of applications. And how so?
Well, since there is no single piece of code that isn’t reviewed and tested while being written, and all, if any, issues are immediately uncovered, the period between finished development and deployment into production is cut short. Security tests at that point in the process are merely a final check.
Earlier identification of vulnerabilities
A DevSecOps solution that supports automation on every level can help developers spot whether they’re using, for example, any libraries with a CVE, while thinking about security before even beginning to write the code. This reduces the chances of any security issues popping up down the line.
And as we mentioned above, each piece of code that is written and any change to the codebase that is made goes through security tests, to ensure that all vulnerabilities are identified before the application is pushed into production.
In cases where security tests uncover any flaws or any security incidents occur, recovery will be much faster. The developer can be notified soon after finishing with the code, and can more quickly fix the issue without disrupting the process, or make different prioritizations based on the severity of the flaw.
Better collaboration between teams
With security being everyone’s responsibility, DevSecOps allows substantially better collaboration and communication between dev, security and operations teams as all three work towards a common goal—fast and secure development. The security feedback given during the software development process is crucial in ensuring that your applications are resilient to cyber threats, and this continuous feedback helps nurture a culture of transparency, allowing everyone to learn from mistakes and increasing interaction between teams.
DevSecOps doesn’t entail forming a separate, additional team in the organization, and that does offer the benefit of cost reduction. Additionally, reports show that the average cost of a data breach in 2019 was $3.9 million. That’s without even mentioning the loss of customers and reputation that they bring.
In addition to increased speed of delivery and a collaborative culture, DevSecOps, with its early detection of vulnerabilities, reduces the chances of any vulnerabilities being missed and making it into production, only to be uncovered months after. After all, at that point it’s possible vulnerabilities have already been exploited.
It’s always more cost effective to tackle security issues early on, than to wait for them to turn into a cyber attack.
Top 5 DevSecOps recommended practices
Successfully integrating a DevSecOps approach into your DevOps pipeline entails changes across the organizations and requires the adoption of a different mindset, practices, tools and resources (with one of those sources being OWASP). The goal is to bridge the gap between software development and security teams, and ultimately arrive at secure code swiftly.
Let’s look at a few best practices for DevSecOps implementation:
Automation is the key
Like DevOps, DevSecOps remains focused on speed of delivery, and to allow fast and continuous monitoring and testing, you need to maintain automated security testing and security controls throughout the SDLC. Different tools and methods are used for different parts of the process, including static code analysis tools, static application security testing (SAST), interactive application security testing (IAST) solutions, compliance management tools, and more.
Choose the right tools
To tie in with the previous point, while integrating automation tools into your CI/CD environment, you should be mindful of when and which tools are used, and for a couple of reasons. Firstly, security tools need to integrate easily into your CI/CD, fit seamlessly into the workflow, and actually help connect dev and security teams. Secondly, some tools don’t need to be used in every test, and don’t need to run throughout the day. You can schedule some scans for different times, to avoid wasting time and even speed up the process. And finally, watch out for third-party services and open source components and code, and make sure you run code dependency testing.
Implement threat modeling
Threat modeling means looking at the application and putting yourself into the shoes of crackers, by searching for flaws and vulnerabilities that can be exploited. This can be as easy as asking yourself about relevant threats in the current landscape, and considering, “Where would I look in my application if I wanted to exploit it, and what should I do to protect myself against these cyber threats?”
By taking this perspective throughout the entire software development process, we’re ensuring that security is ingrained in every phase of the SDLC and helping everyone get a better look at each other’s roles. We’re also searching for a solution from different angles, proactively working to improve the rest of the process, and orchestrating the prioritization of automated tools.
Secure coding awareness
For the prevention of many cyber threats and adoption of any good security practice and methodology, it’s clear that having a healthy cybersecurity culture is one of the pillars. Organizations should continually work on nurturing cybersecurity culture among their teams. This includes raising awareness on cyber risks, including their implications and how to respond to them, but also enforcing security procedures that cover all positions across the organization.
When talking from a DevSecOps perspective, this considers secure coding awareness, security training courses that focus on secure coding practices, common attack vectors, common mistakes and how to fix them. Training should engage both development and operations teams and sessions should be carried out several times a year, exploring different concepts and with different levels of complexity.
And the final best practice is one that we’ve already mentioned but remains the very foundation of DevSecOps, and of building secure applications in general. This is, of course, to test everything. This means that every piece of code, and every change to the code, should be tested and reviewed, while regular penetration tests should be performed throughout different stages of the SDLC.
The cultural and technical shift left in software development has already begun. It’s only a matter of time until most organizations adopt DevSecOps, just as in the first case with agile, then with DevOps.
What makes DevSecOps differ from the other two is that it isn’t a big, foundational shift; rather it’s a natural progression towards more secure development and advancement of the current pipeline, without actually disrupting the process and timeline.
It’s important to note that we have only scratched the surface of what DevSecOps is and what advantages it can bring to the overall security posture of an organization, competitiveness in the market and resilience to cyber threats. While we’ve provided an overview of the core principles of DevSecOps and the general requirements needed for its adoption, we will revisit this methodology in future posts, with helpful looks at some of the best DevSecOps automation tools available. Stay tuned!
Do you know what else can help your overall cybersecurity posture? Detecting critical exposed data in your online assets. By detecting outdated software, open ports, SSL certificates and related domains you can reduce your attack surface and prevent any cybersecurity issues. With our Attack Surface Reduction tool — ASR, you will be able to do just that, and more. Schedule a call with our sales team to learn more.