Safe software development with DevSecOps

In .Software, Blogfest-en, Uncategorized by Baufest

Digital transformation and disruptions generated by the new technology-based business models made companies adopt each time more modern software engineering practices, such as agile and DevOps.

Wednesday 16 - December - 2020

These methods allow organizations to test, refine and launch new products and functionalities faster and more frequently than ever. But, well, as explained in this article we invite you to examine, “speed and frequency of the releases can come into conflict with the methods established to manage security and compliance”.

Then, how do we sort out this crossroad? The authors of the note we´d like to share are sure that the answer lies in DevSecOps (Development, security, operations), a method to integrate security in the agile and DevSecOps efforts through the life cycle length of the product. When laying the DevSecOps guidelines on the table, the considerations of computer security and data safety add up to the DevOps development methodology, not as isolated security services, but as practices that go through all stages – planning, coding, revision, testing, implementation and operations.

When utilizing the DevSecOps method, companies may “increase the frequency of software versions from once every three months to weekly or daily as well, without compromising their risk level. They can decrease the average time to solve vulnerabilities that take weeks or months to hours, as much as eliminating delays, overcharges and product defects. Besides, they can obtain security and compliance from the start”.

Put in other words, when taking into account the security systems from the start of the software development process, organizations speed up the launch to production and lower costs.

Transcending the silos

DevSecOps is based on the principle of “integrating development, security, infrastructure and operations in each step of the products ‘life cycle, from planning and design to use and continuous support”. This enables engineers to approach safety and dependability issues in a faster and more effective manner. Instead of leaving it for the end of the development process, or handling it separately, considerations regarding security, relieablility and compliance are integrated into each agile sprint. With DevSecOps, teams review the code “with a frequency of up to two weeks as part of regular agile sprints, using automatic and manual controls”.

Now, as pointed out in the note we are summarizing, to capture the potential of DevSecOps, a close collaboration with the internal area of the IT department is required, as well as with between the different IT areas, security, compliance and risks.

DevSecOps allows transcending tensions between agility and security maintenance, reliability and compliance. Instead of dividing software development roles, operation, security and compliance into different groups, it seeks to break these silos through the creation of integrated agile teams in charge of solving all the requirements of the solutions within their reach.  

With this method “digital products are conceived and built from scratch, to be secure by design. Security requirements and best practices are taken into account in all the elements of a solution, from code itself to the  infrastructure in which it is executed”, as the authors of the text mention.

In such way, going down this road helps companies to gain flexibility and agility, at the same time strengthening their computer assets. To review this perspective in further detail, obtain examples and identify pitfalls to be avoided, we suggest reading this article.