DevOps is an approach that integrates software development (Dev) and IT operations (Ops). It leads to a more responsive software development lifecycle, enabling faster software delivery and more frequent releases. DevOps has similarities to the Agile approach, with both techniques framing software development as an integrated and continuous process.
DevSecOps brings security (Sec) into the mix as well. With DevSecOps, we are applying security practices throughout the entirety of the software development lifecycle. It allows us to deliver secure code in a quicker and more cost-effective manner. Automation plays a vital role in securing code all the way from the beginning stages, right through to testing, deployment and delivery.
Earlier approaches to software development often involved adding in security controls at the final stages of a project, rather than involving security from the start. This could lead to substantial security holes that were often incredibly difficult to fix. If security had been considered from the planning stages onward, these could have been much easier to address.
Since DevOps is a high-speed approach to software development, DevSecOps has limits on how much time there is for security testing. To compensate, we must rely on automation to speed up our security processes. We should incorporate security controls throughout the continuous integration/continuous delivery pipeline. Controls like static code analysis, vulnerability scanning, and peer review are important for limiting vulnerabilities in software.
The DevSecOps Manifesto
The DevSecOps Manifesto contains a set of principles that highlight the most important aspects of the approach. The principles of DevSecOps are:
- Leaning in over Always Saying “No”
- Data & Security Science over Fear, Uncertainty and Doubt
- Open Contribution & Collaboration over Security-Only Requirements
- Consumable Security Services with APIs over Mandated Security Controls & Paperwork
- Business Driven Security Scores over Rubber Stamp Security
- Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
- 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
- Shared Threat Intelligence over Keeping Info to Ourselves
- Compliance Operations over Clipboards & Checklists
