Recent supply chain breaches, coupled with President Biden’s new cybersecurity executive order, have brought renewed attention to the value of DevSecOps to businesses. DevSecOps brings cultural change, frameworks, and tools to open source software (OSS). To understand DevSecOps, you must understand its relationship to OSS.
What is DevSecOps?
In its purest form, DevOps (a synthesis of development and operations) is a way to break down the traditional silos between programmers and system administrators in the software delivery life cycle. Businesses and government agencies adopt DevOps for a variety of reasons, including faster software delivery to better serve customers.
DevSecOps further refines this concept by adding a security component to DevOps to automate code quality, safety and reliability assurance for continued security and compliance. Organizations seeking compliance with the Sarbanes-Oxley Act (SOX), payment Card Industry Data Security Standard (PCI DSS), FedRAMP, and similar programs are candidates for DevSecOps.
For example, federal government agencies seeking FedRAMP compliance should use DevSecOps because it enables them to securely automate every stage of the software development process. Similarly, healthcare organizations entrusted with sensitive personal medical information (PHI) need to use DevSecOps to ensure their cloud applications comply with HIPAA requirements.
The more you move security mitigation to the left to address these issues in development, the more money you can save. You can also avoid potential bad press because your team doesn’t have to react to problems in production, where fixes can be much more expensive than those found in a development environment.
You can think of the transition from DevOps to DevSecOps as just another step in the DevOps journey. But it’s more like a transformation of your development organization and your entire business. The following is a typical framework.
- Analysis, communication and education. This includes analyzing the maturity of your development process; Define DevSecOps for your organization; Foster a DevSecOps culture of continuous feedback and interaction, team autonomy, automation, and architecture.
- ** Integrate security into your DevOps lifecycle. ** Make sure your DevOps and security team work together.
- Introduce automation into your DevOps lifecycle. Start with small development projects and gradually expand your automation strategy.
- Collaborate to make security changes to your DevOps tool chain. Get your development and security teams working together on projects to strengthen your DevOps tool chain.
- ** DevSecOps implementation: ** Get your team fully involved in the DevSecOps tool chain and new processes.
- Encourage continuous learning and iteration. Provide training and feedback mechanisms for your developers and system administrators to support developer performance and the health of your tool chain.
We are at a unique point in the history of software development, where the need to improve security and speed up software development is at a crossroads. While DevOps does a lot to speed things up, there’s always more to do.
The development of DevSecOps
The growth of DevSecOps is evident in terms of compliance and security awareness. It has a growing following within America’s security-conscious Defence department, for example. Projects like Platform One set an example of how DevSecOps practices can protect open source and cloud technologies in the most security-conscious government tasks.
According to Gartner’s Hype Cycle for Agile and DevOps 2020, DevSecOps penetration in the industry is between 20% and 50%. This pandemic has been a catalyst for DevSecOps as companies move application development to the cloud.
The challenge of DevSecOps
Even if you treat DevSecOps as just another step in the DevOps journey, you can expect your toolchain, the role of DevOps and the security team, and the way your team interacts to change. In GitLab’s global DevSecOps 2021 survey, over 60% of respondents said that new roles and responsibilities have been created as a result of DevOps, so keep your people prepared in advance to minimize surprises.
You can use various open source DevSecOps tools to build your DevOps pipeline, including.
- Alerta integrates and removes alerts from multiple sources to provide fast visualization. It integrates with Prometheus, Riemann, Nagios, and other developer-oriented monitoring tools and services. You can use Alerta to customize alerts to suit your needs.
- StackStorm provides event-driven automation, providing scripted remedies and responses. Some users affectionately refer to it as “operational IFTTT.”
- Grafana allows you to create custom dashboards that aggregate all relevant data to visualize and query security data.
- OWASP Threat Dragon is a web-based tool that provides system diagrams and rules engines for automated Threat modeling and mitigation. Threat Dragon touts its easy-to-use interface and seamless integration with other software development tools.
DevSecOps brings a culture, the same way DevOps does. Fostering a DevSecOps culture is about putting safety first and making it everyone’s job. DevSecOps organizations need to go beyond mandatory enterprise-wide online security training and canned conversations and introduce security into development and business processes.
DevSecOps and open source risk mitigation
Businesses and even government agencies use up to 90 percent of open source code. This sometimes accounts for hundreds of discrete libraries in an application. There is no doubt that open source saves DevOps teams time and money, but a DevSecOps security model may be needed to mitigate the risks and licensing complexities of open source.
In Synopsys 2020 DevSecOps Practices and Open Source Management Survey, 46% of respondents stated that media coverage of open source issues has influenced the way they implement controls in OSS projects. The recent spate of reports of supply chain violations has made technology leaders more concerned about the rigor of their controls.
Open source risk mitigation strategies and DevSecOps complement each other in many ways, for example.
- Start generating a software Bill of Materials (SBOM) as a quality gate before OSS enters your software supply chain.
- By bringing in talent from development, security and enterprise back office teams, make OSS procurement as much of a focus as the review, purchase and receipt of enterprise software. You can adjust your DevSecOps lifecycle to include your OSS sourcing strategy.
Final thoughts
DevSecOps is a noisy topic right now. A large number of marketers are trying to define it in their way in order to sell more products to commercial and public sector enterprises. Even so, the relationship between OSS and DevSecOps remains clean, as DevSecOps tools and strategies provide a security door that brings OSS into the software supply chain and into your DevSecOps pipeline, while maintaining security and compliance from the very first step in the process.