DevOpsDays is a globally recognized series of technology conference brands, covering software development, automation, testing, security, organizational culture and IT operations community meetings. DevOpsDays was founded by Mr. Patrick Debois, the father of DevOps. The organization brings together DevOps practitioners from the Internet, finance and various industries to share and exchange advanced technical ideas, concepts and best practices in the industry. The global adoption of DevOps has been driven by the actions of the elite and the industry’s top experts. Over the past decade, DevOpsDays have taken the world by storm on a city-by-city basis, making it arguably the most influential international event in the DevOps world.

At DevOpsDays Tokyo 2021, some of the biggest names in the DevOps space shared their ideas. Patrick Debois, the father of DevOps, also answers questions and shares the most valuable DevOps practices online. Jihai Zhou, senior CODING technologist and evangelist, was also invited to participate in the conference and share DevSecOps tools and practices online.

The following is the content of Zhou Jihai’s speech on DevOpsDays Tokyo — The Practice of DevSecOps in Large Banks

Introduction to DevSecOps concept, birth reasons and advantages

DevSecOps is a concept first proposed by Gartner in 2012. The original term was “DevOpsSec”. After the 2017 RSA Summit, DevSecOps became a hot topic around the world. DevSecOps is based on and continues DevOps’ philosophy, and its design and implementation remain within the Agile framework. The goal of DevSecOps is to embed security in all DevOps processes (requirements, architecture, development, testing, etc.) to move security left, make everyone responsible for security, and move security from passive to proactive, ultimately enabling teams to develop better quality products faster and safer.

  • In the traditional model, after the entire r&d process (requirements, development and testing) is completed, a safety review is required before going live. So the whole lead time is development time plus safety evaluation time.

  • DevOps mode, through automation, agile development, team collaboration. DevOps concepts such as microservice design shorten the entire development phase, thus reducing the lead time. However, since security is not considered in the traditional DevOps model, the pre-launch security review time does not change. It can be clearly seen that the bottleneck of the whole RESEARCH and development process is the safety review stage before going online.

  • In DevSecOps mode, due to the insensitive left part of the pre-launch safety review work to the development team, the duration of the safety assessment phase is shorter, thus further shortening the delivery cycle.

DevSecOps provides many benefits to r&d effectiveness in three main ways:

  • Faster – DevSecOps insensibly moves some of the security scanning work that is done in the final stage before going live in traditional mode through automated security tool scanning, resulting in shorter lead times and faster delivery times.

  • Controlling risk – DevSecOps reduces the development team’s dependence on security departments/teams and provides the development team with the ability to discover and fix some security risks and vulnerabilities by moving security left.

  • Cost savings – DevSecOps saves on process costs by discovering and correcting security risks and vulnerabilities in the early stage of SDLC, avoiding the traditional mode of rework after a security scan is performed in the final stage before launching.

The challenges of getting DevSecOps to the ground

The actual implementation of DevSecOps faces many challenges, among which technical challenges and human challenges are the most typical. On the one hand, software development is a complex process that requires DevSecOps to provide automated tool support, but because DevSecOps is a new concept, there are fewer tools available on the market. On the other hand, the importance of information security, the additional workload of developers after DevSecOps implementation, and the support of management are all key factors in the success of DevSecOps implementation. However, even without the hindrance of the former, developers lack the knowledge of information security at the present stage and cannot repair security vulnerabilities smoothly, which also brings great resistance to the implementation of DevSecOps.

Security tools commonly used in DevSecOps

  • Static Application Security tool (SAST) : SAST scans for security vulnerabilities at the code level. The advantage of it is that it can be precisely located, find a specific line of code has a bug, and easy to be accepted by programmers. But the downside of this tool is a very high rate of false positives.

  • Dynamic Application Security (DAST) : DAST attempts to obtain information by simulating hacker attacks on ports and sites. The advantage of such tools is that the scanning range is very wide and the false positive rate is not particularly high; The disadvantages are also very obvious. Just like the test, it requires manpower to write relevant codes to simulate hacker attacks. The security knowledge of operation and maintenance students is highly required, because the scene needs to be simulated. At the same time, it is easy to generate some dirty data.

  • Interactive Application Security Tool (IAST) : By inserting an IAST into an application or intercepting traffic through an agent, you can analyze whether the system has security vulnerabilities during operation. The advantages are accurate scanning and low false positive rate. The disadvantage is that the server needs to be restarted while the tool is being updated.

  • Third Party Component Analysis (SCA) : The first three security tools are more about the security of the code written by oneself, from the port level to ensure that the product developed by oneself is secure. While it is inevitable that third-party plug-in tools will be introduced in the development process, FOSS tools are designed to ensure the security of code written by others.

In general, SAST and SCA are mainly applied in the development phase, while DAST and IAST are applied in the test phase. The distribution of security tools in the whole DevSecOps life cycle is shown in the following figure:

Implementation and operation model of DevSecOps

Building DevSecOps system is the ultimate goal of DevSecOps project. To achieve this goal, DevSecOps implementation model provides the following ideas for our practice:

  • The first step is to use the DevSecOps tool to find vulnerabilities in your application. Security tools are integrated into CI/CD pipeline to realize automation. Finally, the results of vulnerability scanning will generate visual results on the dashboard or inform users in the form of report.

  • The second step is to train developers so they have enough skills to fix bugs.

  • After introducing DevSecOps tools and providing training to development teams, the ultimate goal of DevSecOps is to make everyone DevSecOps aware and build a DevSecOps culture within the team. In addition, every development team wants at least one “security expert” with advanced application security skills who can help the team fix thorny vulnerabilities and train other team members.

Once you understand the goals of the DevSecOps project, the DevSecOps runtime model provides a solution on how to execute the DevSecOps implementation. It defines the responsibilities of several different roles:

  • DevSecOps Lead – The lead is responsible for driving the DevSecOps project, promoting the DevSecOps culture, and helping the development team build a DevSecOps culture. Connect development team and security team, collect feedback from development team and provide to security team.

  • Development team – Integrated DevSecOps tools into CI/CD pipeline to visualize security scan results on dashboards. Get DevSecOps training, learn enough application security knowledge, and have enough skills to fix vulnerabilities. Use DevSecOps tools and knowledge on real projects and daily work, gradually change the way they think, and build a DevSecOps culture within the team.

  • Security team – They provide DevSecOps tools and application security training. Consulting services are available upon request.

This is DevOpsDays Tokyo 2021.