DevSecOps is a relatively new approach to continuous software development processes in agile environments. It is an extension of DevOps (Development + Operations) that includes security. The order of component terms in the DevSecOps name, however, may lead to incorrect application security approaches. That is why some sources propose SecDevOps as a better term.
Traditional DevOps processes do not include security. This means that many application development businesses that practice DevOps initially have no security teams at all! Such businesses may perceive DevSecOps as a process in which they first develop the application, then test it for security in a staging environment, and then deploy it in production. Even worse, they may attempt a DevOpsSec approach where the application is tested only after it is deployed. Both these approaches may cause major delays in development and are not fit for agile DevOps practices with security included.
Incorrect DevSecOps Approach
In an incorrect DevSecOps approach to continuous development, the business has a separate security team that is responsible for security testing. In such a case, the development team builds an application using a CI/CD (Continuous Integration / Continuous Delivery) solution. New code is automatically compiled using such a solution and then tested (but this does not include security testing). When the code is ready, the application is deployed on a staging environment and that is when the security team starts working on it (either manually or using automated tools).
The problem with this approach is that security issues are found late in the process. If the security team finds a security concern, the application must be corrected and go through the entire process again. This is not agile and it also creates a bottleneck for the security team. In the worst case, there is no time left to correct the application because the project managers or product/service owners cannot cater for potential delays caused by the necessity to go back to the development and build process. If so, the application may have to be released with security issues!
Correct SecDevOps Approach
The correct way to include cybersecurity in the development lifecycle is to see information security as the number one priority. Security practices should be included in every stage of application development. There should be a minimal security team that focuses on security policies, oversees continuous deployment, and performs advanced manual penetration testing. As many security tasks as possible should be performed by other teams in the DevOps pipeline.
A SecDevOps approach begins with education. Security teams should provide training on secure coding practices. For example, developers should be taught never to trust user input and to use parameterized queries or stored procedures to avoid SQL Injection vulnerabilities. Test developers and QA teams should be taught, what tools they can use and how to create security tests for the development cycles. Operations teams should be taught how to make regular security vulnerability scanning part of the operations.
Educated teams can handle most of build security themselves. Operations engineers can integrate products such as the Acunetix vulnerability scanner with CI/CD tools. This way, every build delivered by the development team is immediately scanned in real-time for issues and the developer is notified about issues that they need to correct. Operations engineers can also integrate vulnerability scanners with issue tracking systems so that every issue is automatically retested after being closed by the developer. IAST tools like Acunetix with AcuSensor are best suited in such cases because they report much less false positives than SAST tools and they provide more information to the developer than DAST tools.
A Recipe for Secure Software
As an afterthought, no matter what name you choose for your secure DevOps, the important thing is to realize that security should not be an isolated island in your development and deployment processes but an integral part of every activity in the release cycle. To deliver secure products, you need wide-reaching security policies and it is recommended that you follow cybersecurity frameworks. It’s not about which tools you choose, how many security professionals you employ, but how you ensure that every member of the team (developers, QA engineers, project managers, product/service owners, administrators, operations engineers – everyone) does their job with potential security challenges in mind. Only with rugged DevOps and suitable security controls everywhere can you be sure that your company name does not end up in the hall of shame after a security breach.