You say “DevOps”, I say “what about DevSecOps?”. But neither exists in a silo. If you’re taking advantage of DevOps tools and methods, you need to integrate DevSecOps into the mix. In other words, IT security must play an integrated role in the full lifecycle of your apps.
But what is DevSecOps? For this, we turn to DLT partner, Red Hat, who has put together a user-friendly guide to DevSecOps.
By way of a summary, here’s what you need to know about secure DevOps.
Why do we need DevSecOps?
Traditionally, security was an add-on to the final stages of app development. That was when dev cycles took months, if not years. Today, DevOps has reduced those cycles to weeks or days and security has emerged as a shared responsibility that is integrated from end to end. Indeed, a security foundation must be built into all DevOps initiatives, hence the term DevSecOps.
This means thinking about application and infrastructure security from the start. It also means automating some security gates to keep the DevOps workflow from slowing down. Of course, there are tools that aid in this process. Agreeing on an integrated development environment (IDE) with security features can help. But you need more than tools. Like DevOps adoption, a cultural change is needed – one that stresses integrating the work of security teams sooner rather than later.
In other words, DevSecOps is about built-in security, not security that functions as a perimeter around apps and data.
What does built-in security look like?
Key to the cultural shift that DevSecOps highlights, is the need to invite security teams at the outset of DevOps initiatives to build in information security. But it also requires developers to develop code with security in mind. This involves security teams sharing visibility, feedback, and insights on known threats.
It also involves more strategic thinking. A good DevSecOps strategy is to determine risk tolerance and conduct a risk/benefit analysis. Ask yourself: what amount of security controls are necessary within a given app? How important is speed to production? The latter is something than automation can help with since it removes the labor-intensive process of running manual security checks.
Which leads to our next point.
Automate your DevOps security
Let’s not beat about the bush, DevSecOps is not easy. Teams must maintain short and frequent dev cycles, integrate security measures with minimal disruptions, all while breaking down team silos and collaborating more closely.
Which is where automation fits in. Automation is a framework that facilitates human changes in DevSecOps. And it can help across the entire dev and ops environment. Automation has helped organizations achieve more agile development practices and plays a role in advancing new security measures.
DevOps security must adapt to containers and microservices
But automation isn’t the only new kid on the block in recent years. Cloud-native technologies, like containers and microservices, also play a major part in DevOps, and DevSecOps security must adapt to meet them and align with container-specific security guidelines.
The thing is cloud-native technology doesn’t align to static security policies and checklists. This is another reason why security must be continuous and integrated at every stage of the app and infrastructure lifecycle. And, DevOps teams should automate security to protect the overall environment and data, as well as the CI/CD process – which will likely include the security of microservices in containers.
To learn more about this process, check out the complete guide to DevSecOps on RedHat.com.