This partner blogpost was provided to us by our partner Sonatype.
Dev.Sec.Ops.Have you heard the term before? If not, you are not alone. The basic premise behind DevSecOps can even run under different names, depending on who is conducting the conversation (Rugged DevOps, SecDevOps, etc.) And of course it can be difficult enough to find a commonly agreed definition of DevOps for yourself.
So, what does DevSecOps mean exactly? The first thing you probably need to know is that the “Sec” in DevSecOps stands for Security.
For many organizations, implementing a DevOps mentality means closing the gap or eliminating silos between software development and IT teams, often with the goal of publishing software faster and more stable.
DevSecOps is therefore an extension of the DevOps mentality and is often portrayed with the slogan “shifting security to the left” (i.e. earlier) in the Software Development Lifecycle (SDLC), rather than tackling security audits/inspections at the end of the cycle when all the findings that require mitigation are more difficult and costly to implement.
In fact, the principle of DevSecOps - bringing quality ever closer to the source - is an important principle of The Second Way of DevOps (Feedback), as described in DevOps manual:
W. Edwards Deming, an engineer, statistics professor, and business consultant who is often credited with the lessons that contributed to the establishment of the Total Quality Movement in the United States, brought forth the same idea (much earlier) in the third (of its 14) key management principles for transforming business effectiveness:
Principles are not necessarily synonymous with practice.
These principles are not new, and they seem fairly simple in theory, but the reality is that in practice many companies do not work that way.
When security is prioritized by a company, it often aims to meet the minimum criteria for some kind of compliance, usually with an understaffed security team.
In his DZone article 10 Tips for Integrating Security into DevOps Gene Kim describes this challenge:
An illustrative example of this scenario is The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win in which the less popular Chief Information Security Officer (CISO) John is going through an existential crisis when his company passes a SOX-404 audit without ever having to rely on his process-intensive security controls.
After a period of self-pity and self-analysis, in which all his hard work did not really add value to the company, CISO John “rises from the ashes” and begins to understand how his role can help the company achieve its business goals and works more cooperatively with the software development and IT departments to understand how he can help facilitate their work. Soon the Dev, Ops and Security Triad will begin working together to achieve these common business goals, becoming much more agile by adding automation processes to reduce effort and security risks.
A cultural change in both directions
In an interview with the Computer Business Review Sonatype’s CTO, Brian Fox, shared his thoughts about the changes in the DevOps and DevSecOps area:
One of the founders of DevSecOps, Shannon Lietz of Intuit, recalls this mood in her blog post What is DevSecOps? on devsecops.org and explains: “…with the change of DevOps afoot, traditional security is no longer an option. “ According to Lietz:
If you see DevSecOps as a collaborative discipline, the key to a successful approach often comes back to a change in the company’s cultural mindset.
The authors of the DevOps Handbook agree:
For Sonatype, the DevSecOps approach involves building quality in by integrating security measures into all phases of the DevOps pipeline - a left and right shift - from the initial open source component selection through to application creation, deployment and release.
In order to integrate security into all phases of an SDLC, the following points must be observed:
- Scan and assess the risks of open source components in new and existing legacy applications.
- Prevent “bad” OSS components from entering an ecosystem.
- Continuously monitor all applications in production, automatically notify development teams of vulnerabilities that affect an application.
The following is an excerpt from devsecops.org’s DevSecOps manifesto, which is at the heart of Sonatype’s mission:
For more information:
- 10 Tips for Integrating Security into DevOps by Gene Kim
- Five Questions with…Sonatype CTO Brian Fox by Ed Targett
- The DevOps Handbook: How to Create World-Class Agility, Reliability, & Security in Technology Organizations by Gene Kim, Jez Humble, Patrick DeBois, & John Willis
- The DevSecOps Manifesto
- The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win by Gene Kim, Kevin Behr, & George Spafford
- W. Edwards Deming Wikipedia entry
- What is DevSecOps? by Shannon Lietz