The Imperative for DevSecOps

Nishant | 25 Jan 2019 | Newsletter, Enabling DevOps

DevOps enables organizations achieve transformational speed and agility by breaking barriers between development and operation with automation. However achieving speed in software development processes without security checks is akin to a speeding car on a highway without brakes. Not only does it expose application vulnerabilities but significantly reduces organizational responsiveness during an event or attack.

Enter DevSecOps, a practice which automatically embeds security practices into software development lifecycle to ship code faster, safer. This means security is not an after-thought, an activity undertaken at the end of the development cycle. Instead DevSecOps envisages DevOps practices—which includes seamless collaboration between development and operations teams—embrace information security team as the third pillar supporting software development.

Just as code is tested and validated in a continuous loop, vulnerability testing must be conducted automatically on an ongoing basis while releasing and integrating application code.

What is DevSecOps

DevSecOps is a practice amongst high-performing organizations to achieve diametrically opposing goals of high velocity software releases in a secure and safe manner. It is a culture which leverages tools and processes to engage development, operations and security teams to achieve scale in speed and quality.
It takes advantage of automation to test and iterate for quality and security as part of routine development without disturbing delivery cycle. Automation ensures continuous compliance and auto-remediation keeping deployment secure at every stage.

Key elements in DevSecOps culture include:

Benefits of DevSecOps
DevSecOps introduces an additional layer of security control into DevOps processes of application development to deliver higher benefits.

Reduced Cost:  Early detection of security flaws reduce cost of reworking code as opposed to identifying at the fag end of development.
High Velocity, Secure Code:  Continuous security testing is fast and overcomes bottlenecks of older security model.
Higher Efficiency:  Access to standardized code and infrastructure templates lead to faster delivery cycles. 
Higher Responsiveness:  Reduced time lag between vulnerability detection and prevention due to  transparency in testing and team collaboration.
Higher Customer Value:  Deliver customer satisfaction with high quality innovation in a secure manner.
Better Developers:  Proficient developers as they are more aware of security requirements.

DevSecOps Best Practices
Security must be tightly integrated into software development processes. In fact as the name DevSecOps  itself suggests, security must be central to development and operational processes.  High performing organizations have adopted following best practices while implementing DevSecOps.

DevSecOps with AWS
AWS Cloud supports DevSecOps practices with an array of tools and services to achieve scale at speed in a secure manner. Following are key services aimed at accelerating automation and increasing efficiencies, collaboration and transparency amongst DevSecOps teams.

CodePipeline:  Facilitates continuous service delivery to model, visualize and automate steps required to release software.
CodeDeploy:  Managed deployment service that automates software deployments to AWS EC2, Fargate, Lambda, and on-premises servers enabling rapid release of new features by eliminating downtime during deployment and handles complexity of updating applications.
CodeCommit:  Managed source control service that hosts secure Git-based repositories, making it easy for teams to collaborate on code in a secure and scalable ecosystem.
CloudFormation:  Allows to standardize infrastructure templates and resources by defining and provisioning in a secure, automated manner.
AWS IAM:  Manage users by allowing or denying permissions based on roles or federated users. Allows transparency and traceability to monitor changes made by individual users.
AWS Key Management Services:  Allows to create and manage keys and control use of encryption across wide range of AWS services and applications.
AWS Lambda:  Performs static code analysis of CloudFormation template and conducts dynamic stack validation for security groups.
AWS CloudTrail:  Monitors API calls and logs to all resources and CloudWatch events.
AWS VPC:  Allows to isolate customers within AWS Cloud as well as Layer 3 isolation.

Implementing DevSecOps is a calibrated approach that must use judgment and purpose without getting mired with a governance checklist. Automating tests in CICD pipeline must be integral to usher organizational change where DevOps team own application security just as they own quality, development and operations.

Umbrella has extensive experience in designing CICD pipelines for continuous release and deployment of code, using AWS services and third-party tools for automated testing, monitoring and remediation of compliance. Umbrella has helped customers achieve DSS PCI compliance, ISA compliance with security best practices.

If you want to know more about our capabilities or want to implement DevSecOps in your organization, write to use at info@umbrellainfocare.com or call us at 9873892249.

Popular Blogs