What is DevSecOps ?
To understand DevSecOps let’s understand the common DevSecOp flow. When things are straight line, automated and fast. So developers are searching the codes and applications delivery pipeline starts. The changes are test with Automated test. The version is build and deploy the test environment. More automated tests are run. Once everything is fine a green light is given to the new version to be released.
So this super optimize and automated flow make application can delivery fast with out manual effort from developers and testers etc. And new version of application is ready to be release in production. But no really because it has a huge security issue. If your applicant is,
- An online banking app
- Social media platform that millions of people use
- E-shop with credit card(e – commerce platform)
Other sensitize of personal data you want to make sure that there is no security halls in your application. Because getting hacked and leaking data of your or user. May be detrimental to your business. So before deploying it to the production, The security team be test the new version for any vulnerabilities and other security issues. Developers use a new library that has some vulnerabilities.
- What if it has some special license and recommendations?
- If passwords are exposed.
- What if containers image has on security issue. Or what if K8S use in misconfiguration. And of cause this could be all things that developers themselves aren’t even where off.
So security team will run test and analyzed the code changes. And look for any security issues in the application and this may take hours or days if you have complex application may be every week. The security team may find thousand of vulnerabilities and issues and send them to developers to fix in that new version. How every in the mean time due to the efficient DevOps cycle, couple of new versions have been created. Which are all waiting for the security out age. So this is the problem here. We have to super optimize the DevOps process that you built. But the problem is right before the release. The security check and outage. Blocks the whole process and delaying the release for weeks. DevSecOps
Why this security audits process takes so long?
More security issues now a days
Think about how applications have evolved over the last year. We have micro services now instead of one monolith application. And they expose API to communicate. Which means much more attack surface. On top of them we have tons of services which microservices used like databases message brakers etc.
This may all running containers. In this another layer security issues will be arisen. And all these run-in cloud platform and Kubernetes. So, we have many layers of Infar structure and many components which may secured. And security teams themselves learn and understand. This platform and technologies to be able to identify issues.
Old security tools
Another issue is many security tools that security professionals use and experienced in were developed before these micro services. They need to know find or create themselves tools for working with these modern applications set up. So it complicates the job and create this bottleneck application delivery process slowing down the DevOps cycle.
How to fix the problem
Answer is interesting security in the DevOps or shifting the security to the left. So instead thinking about the security after and new features developed and tested right before releasing it. And solving that in chunks. Start thinking about right at the beginning and solved it right away as soon as security issues appear.
How work in practice? How can security be infused or integrated in this DevOps process. There is separate steps here. First of all, security come to developers. They also responsible to security. Then comes to security professionals. Security team becomes and advisor for Dev and Ops team. Helping them understand and manage security. Rather than being like external police. That blocks development speed. So, security team will create security police. Then they will create ,select automation tools for defecting security issues and vulnerabilities.
Ex- Could be security scans of the applicators etc. Automating security test.
Then they teach and train developers and operation teams interpret the output tools. So they can identify and fix the issues. So all of these security tools and platforms will be integrate in these SCA SAST pipeline. And on every push to official branch or master branch these tools would run and developers may get automate output on their application security status and the issues and vulnerabilities need to be fixe.
If there is no security issue pipeline will deploy and release the application. So the manual works of security professionals will be automate and integrated into the application. Delivery pipeline making the release process is much faster. Apart from the speed having security checks lack in the process increase the risk to the production and fix the security issues of production is much more expensive.
On the other hand, identifying them and fixing them in feature brand is much more efficient. Hence the short feedback cycle right after commit and push the developer. Which knows the security issue right away and then fix it faster without a context switch. Overall, the DevSecOps process makes the whole application delivery faster reducing feedback cycle and any security issues.
Benefits Of DevSecOps
- Observability-Context of how observable is your application to delivery process.
- Traceability– Are we able to understand what users stories are being deploy and managed in the run time environment and can we prove it.
- Confidents– All about the business having a trust for relationships with what is being deliver is actually what is start off in the beginning of the pipeline as a requirement or user story.
- Compliance– This becomes increasingly important for specific industries like health care, public, federal, banking. We need to have compliance build in to this release pipeline and its need to be engineered from day one.
What is DevSecOps ? To understand DevSecOps let’s understand the common DevSecOp flow. When things are straight line, automated and fast. So developers are searching the codes and applications delivery pipeline starts. The changes are test with Automated test. The version is build and deploy the test environment. More automated tests are run. Once everything…