This is the first of a blog series on DevSecOps. This first blog is an overview and subsequent blogs will take deeper dives into different aspects of the process. Planning is the next blog in the series.
Among its evangelists and advocates, DevOps is about the cultural shift from traditional silo groups to the integration of a DevOps team. DevOps teams speak about change, feedback, inclusiveness, and collaboration. The goal is to bring everyone who has a seat at the table onto a common platform to work together and deliver changes to business systems safely and securely. Companies that choose to go through digital transformation use DevOps as their platform to deliver software at speed and scale.
The two methodologies DevOps follows are called Continuous Integration (CI) and Continuous Delivery (CD) “CI/CD”. The principal of CI/CD is to ensure fast and low risk changes to business systems using the same delivery mechanism for all environments (staging, production, disaster recovery). Automated software delivery and mirror images of each environment allow for fast promotion of releases. The only items that change between environments are the variables and secrets (passwords, certificates, keys) used by the software to customize the deployment for that particular environment.
Each process in DevOps is designed to be inclusive of all groups. The tasks inside of each process are defined by the teams but also allow for overlaying the other groups tasks and tools to safely, securely and collaboratively deliver software into the business system different environments. The next section describes how DevSecOps overlays onto DevOps.
What is DevSecOps
DevSecOps is how our security teams overlay onto DevOps for visibility and increase security throughout the software lifecycle. DevSecOps helps our organization maintain secure coding practices, protect the assets created, and deliver code into environments that are audited and monitored for vulnerabilities. Below is a high-level description of each DevOps process and how DevSecOps provides coverage.
Plan – The initial phase of the project where tasks and schedules are organized and the user story (what a user needs to accomplish in the business system) looks like. Developers are trained on how to help protect the software they are writing from supply chain attacks or license compliance issues introduced by using open-source software.
Code – Developers write software code that follows the user story and they save it into a repository for storage and sharing. Repositories require authorization and authentication as well as auditing and logging for least-privilege and need-to-know access to the repository.
Build – Build pipelines compile the software code and prepare it as an artifact or package for deployment into business system environments. Identifying source code vulnerabilities, poor coding practices, and open source license violations all reduce the risk of a supply chain attacks.
Test – Automated testing tools evaluate the software and make sure it follows the user story without introducing software bugs or vulnerabilities that can be exploited by hackers.
Release – The release pipeline is a set of tasks to deploy software into the business system environments. Artifacts and packages are made available from a secured location. Variables and secrets (passwords, certificates, keys) used by the software are securely controlled and delivered only to the assigned environments.
Deploy – Operations performs deployments to enforce separation of duties. This prevents development teams from promoting applications to upper level environments without authorization. Operations controls the software deployment using change control and approval mechanisms for auditing purposes.
Operate – Infrastructure as code is used to scale business systems to support customer demand. Denial of service protection, scalable infrastructure, security tools, log monitoring, and patch management protect the business system environments from attacks.
Monitor – Applications logs are collected and monitored for troubleshooting, errors and exceptions that can be alerted on for support. This helps identify attackers and malicious actors causing the business system to behave erratically.
Decommission – Customers are safely moved to the replacement business system, infrastructure is turned down, pipelines and repositories are retired. This protects from accidently deploying legacy code or allowing a system to remain online that could be vulnerable to attacks or misuse.
DevOps lowers security risk by using automation, mirrored environments, and introducing cultural changes to the organization. Coupled with cybersecurity, DevSecOps increases our confidence that change can be introduced without compromising confidentiality, integrity and availability. This blog series will dive into each of the DevOps processes in more detail and the DevSecOps resources that overlay the model.