How to move from DevOps to DevSecOps

An abstract image of digital security.
(Image credit: Shutterstock)

To stay in the lead and capitalize on new technologies, DevOps teams in many organizations now employ a constellation of IT tools, cybersecurity tools, and infrastructure components. However, more solutions grant hackers more potential entry points to strike from.

About the author

Lucy Kerner is Security Global Strategy and Evangelism Director at Red Hat.

Software supply chain attacks - attacks that use third-party software or freely available upstream software libraries and components that developers can easily download off the internet - have become increasingly prevalent, with attackers leveraging these opportunities to hack thousands of businesses and organizations at once.

One of the biggest examples of a software supply chain attack on record was in 2020, when malicious code written into a SolarWinds software update spread through US federal government departments. More recently, in March this year, more than 20,000 organizations were compromised through a vulnerability in Microsoft Exchange Server. Software supply chain security has become such hot news that it is the subject of a new Executive Order from the White House.

However, it’s also true that complex software is an inevitable necessity for many enterprises. So how do they grapple with this security threat? The key lies in embracing the same ideas, processes, and tools that enabled DevOps to succeed, and to integrate security into people, process, and technologies. In doing this, security becomes a fundamental and continuous part of the application and infrastructure lifecycles. In short, they enable the creation of a “DevSecOps” culture.

Bringing security into the fold

The transition to DevOps has been revolutionary. In automating the processes that existed between development and operations teams, it has allowed developers to create high quality software while also allowing operations teams to bring about continuous delivery and consistent service quality. In automating this process, both teams work the other into their workflow effectively so they can focus on their own strengths.

This approach can also be applied to security, and hence the concept of DevSecOps. Rather than security serving as a squeaky wheel that disrupts DevOps workflows when it arises, security should instead serve as an integral but almost unnoticeable part of the workflow. This requires interactions between security and DevOps being automated so as to deliver the ideal trifecta of quality software, continuous service, and high security.

But what does this concept mean in practice? To make sense of DevSecOps, you need to make sense of three key techniques that facilitate it: automation, open standards, and zero trust architecture.

Technique 1: Automation

At the heart and foundation of DevSecOps, just as with DevOps, is automation. Automation allows for consistent, repeatable processes that simplify interactions between development, IT infrastructure, and security teams. The reason DevSecOps can even be a consideration for teams is because of our increased ability to automate workflows: whether it be assignments to stakeholders for projects, handling mundane and repetitive tasks on behalf of teams, or orchestrating and integrating IT tools.

In addition, automation allows you to automate security throughout your application life cycle. By creating common, automated application pipelines that bring security tools and checks into the application and deployment processes, you can allow team members to perform approved security checks at each stage, ensuring security and consistency are built into your applications from the start.

Where once, the above tasks would require emails across teams and delays as tasks were manually allocated and triaged, automation now allows near-instantaneous handling. This breaks down the logistical and technical barriers that kept security teams at arms-length from DevOps teams, allowing them to be seamlessly looped in while not compromising the ability of DevOps teams to deliver.

Technique 2: Open standards

Like in any specialized ecosystem, security professionals have developed their own platforms and language to execute and describe their processes and techniques. To fully realize DevSecOps, though, it’s important that needs and requirements of security and DevOps teams be easily translatable among one another.

That’s where open standards and open source tools come in. As opposed to proprietary software, open source software and applications can help standardize the platforms and languages used across prospective DevSecOps teams. In this way, both DevOps and security teams can all do their work using compatible platforms and in a way that’s consistent and comprehensible to one another: both saving time, and also reducing the risk of errors being made in translating workflows across teams.

Technique 3: Zero trust architecture

Key to tackling something like a supply chain attack is ensuring a business’s tech stack cannot be compromised by more than one point of security failure. Even if a malicious actor can obtain login credentials, database locations, or IP addresses - and in more serious attacks, they often do - they should be unable to access the rest of a system or network.

That’s why organizations should adopt a “zero trust” security approach which acknowledges that traditional network perimeters and implicit trust models do not adequately protect data, assets, or workloads. Zero trust leverages the ability for teams to automatically segment networks to prevent any breach to a network from being exploited. Instead of assuming that anything or anyone inside the IT network is trusted, zero trust assumes the opposite and builds a security environment around the concepts of de-perimeterization and least privilege.

This allows permissions to be hyper-granular, meaning that a breach at one location of a network will be confined there. At the same time, though, zero trust’s automation also ensures that it doesn’t disrupt regular workflows through quickly giving legitimate users sufficient access to do their work.

Taken together, the DevSecOps culture that’s created through mixing automation, open standards, and zero trust is one that sees security baked into the application and infrastructure life cycles from the start. This guarantees robustness of processes, applications, and their associated supply chains, while also allowing teams the flexibility to ensure they can still deliver innovative and reliable applications and services.

At TechRadar Pro, we've featured the best SecOps tools.

Lucy Kerner is Director of Security Global Strategy and Evangelism at Red Hat.