DevSecOps: what is it about, what is it for and why is it important?

In .IT Operations, .Software, Blogfest-en by Baufest

Gartner data indicates that the percentage of software development teams using DevOPs will rise from 15% in 2017 to a whopping 80% in 2021. It should be remembered that DevOps …

Tuesday 10 - December - 2019

Gartner data indicates that the percentage of software development teams using DevOPs will rise from 15% in 2017 to a whopping 80% in 2021.

It should be remembered that DevOps is “a culture focused on the rapid delivery of IT services through the adoption of lean and agile practices in the context of a systems-oriented approach”. In addition, the consultancy anticipated that by 2019 more than 70% of DevSecOps business initiatives would have incorporated automatic detection of computer security vulnerabilities and configuration for open source components and commercial packages, compared to less than 10% in 2016.

Now, what specifically is DevSecOps? It is a philosophy and methodology in which security is integrated into all DevOps services workflows. It is characterized by being transparent to developers and by preserving the capabilities for teamwork, agility and speed of DevOps and agile environments. With this, it means adding good computer and data security practices to DevOps.

In a context in which software solutions integrate third-party software or open source tools, the risks of introducing vulnerabilities are worryingly increased, therefore it is key to enhance security and minimize risks. But of course, the challenge is to achieve this without adding obstacles to the speed of launch of software solutions. And this is precisely what DevSecOps does: it adds the best security practices – automatable and scalable – at all stages of software development.Act early

Opting for DevSecOps means integrating security practices as early as possible in the software production cycle. In other words, this method that integrates consistent security processes into DevOps involves integrating computer security strategies and practices from the beginning to software development, even from the design stage, instead of adding it as a later layer. And among other things, it focuses on automating all controls related to security.

DevSecOps allows application development to add security without losing speed, something that in the past seemed impossible to combine. Many developers already have limited experience with secure coding practices. Additionally, most are disenchanted by their experiences using time-consuming testing tools that cannot match the pace of DevOps services cultures. Instead, by now integrating and automating Static Application Security Testing (SAST) as part of their DevSecOps initiatives, teams can fluently address common challenges related to developing secure applications in agile environments.

Control from the start

Faced with a situation in which traditional IT security models generated bottlenecks, DevSecOps appears as the option so that data security tests can be carried out through iterations without delaying the delivery processes. Today software development teams use CI (Continuous Integration) / CD (Continuous Delivery) practices to accelerate software delivery. By integrating and automating security solutions early in the CI / CD pipeline, teams can scan each build for security vulnerabilities and weaknesses without compromising speed. And this is precisely a typical DevSecOps practice. Moving towards the DevSecOps model allows a company to be in control of security from the origin of a product to its launch, and can help avoid some of the third-party and supply chain errors that have challenged the software industry in recent years. In addition, this philosophy and method helps to identify vulnerabilities at the code level early, provide superior speed and agility when applying IT and data security, provide the ability to respond quickly to requirements and changes, and allow optimization of communication and collaboration.