The concept of DevOps has been around for the last 10 years gaining serious momentum as organizations have quickly moved to Agile to improve speed to market and customer satisfaction. Just as Agile facilitates collaboration and shared ownership between the Customer and Development to create the perfect Product, DevOps is aimed at doing the same by facilitating collaboration and increased ownership between Development and Operations teams for deploying and monitoring their applications.
As DevOps has helped organizations deliver faster, they have had to also safeguard against speed to market coming at the expense of maintaining security and compliance standards. Although security is an important component of any application, planning and building for security has often been an afterthought. Given the frightening pace at which cyber-criminals operate today, the role of IT security has elevated significantly driving a mindset change that recognizes security is also a shared responsibility and must be integrated and considered throughout the entire development lifecycle. This evolution in mindset has moved DevOps to what’s now known as DevSecOps.
Success in the DevOps world relies on automating as much of the development, testing, deployment, and monitoring tasks as possible. The goal is to automate any task or operation that is repeatable, requires accuracy or prone to human-error, and is tedious and or mundane. This includes automating everything from server provisioning, infrastructure configurations, build processes, code packaging, all phases of testing, deployments, and application monitoring. DevOps automation enables organizations to achieve Continuous Integration, Continuous Testing, and Continuous Deployment by creating repeatable, consistent, and traceable development processes and environments. These efficiencies greatly streamline the development lifecycle and allow development organizations to receive feedback on progress and respond to issues more quickly.
The benefits of automation in the DevOps world enables security to be more readily integrated (shifted left) into the process without adding additional burden or significant time to the development lifecycle. Just as all the phases of application testing verify the product meets predefined quality standards, DevSecOps ensures security becomes an important quality requirement and an aspect of the overall quality standard. Executing automated security tests throughout the development cycle provides immediate feedback and helps to identify any vulnerabilities that may have been introduced unknowingly. This allows for early-warning of any potential security flaws and for remediation to occur much earlier in the process. In addition, automating all the required security testing ensures all quality checks and balances are executed.
Testing for security shouldn’t be viewed or treated separately from the overall testing strategy. Just as application testing incorporates a number of different types of testing, i.e. unit, functional, regression, etc., based on where the application is in the development lifecycle, so does security testing. Different security tests are executed to ensure the application is validated from every possible threat angle as the application evolves through the development lifecycle. The goal is to catch potential problems as early as possible and to ensure comprehensive coverage of the entire application. Security testing coverage can include:
- Functional security testing such as password creation and access.
- Code analysis such as Static and Dynamic Code Analysis. Static Code Analysis debugs code and scans for security flaws before code is executed in unit test. Dynamic Code Analysis analyzes the code after unit testing is executed. This type of analysis can identify vulnerabilities in the run-time environment, as well as double-check the results of Static Code Analysis in the event of a false negative result.
- Vulnerability Scanning and Penetration Testing. Vulnerability testing examines systems and identifies vulnerabilities. Penetration testing identifies weaknesses in system configurations and organizational processes that could be used to compromise an organization’s security.
- Configuration Management and Compliance testing audits application configurations to validate they adhere to defined standards and requirements.
There are also processes in production such as Continuous Monitoring that can inform future test plans by using real-world production data to identify issues and future improvements.
DevSecOps enables organizations to truly fulfill their goals of delivering agility to their organizations by implementing the culture, tools, and processes that create shared ownership for delivering the best and most secure products to their customers. Over the next several posts, we will continue to explore DevSecOps and what it can do for your organization.
Let Tsource Help You Create DevSecOps Expertise Within Your Organization
Tsource has been helping our commercial and government clients in Maryland, Virginia, and Washington, D.C. maximize their potential, right-size their infrastructure, and achieve their business and technology goals since 2003. Whatever your business technology goals are, we are passionate about listening to our customers to provide them with responsive and results-driven solutions. Our mission is to help our clients accomplish more with less by taking advantage of cutting-edge ideas and powerful new technologies and delivering the highest quality, best-value solutions to achieve our clients’ goals and missions. Our core services include management consulting, technical infrastructure, and software engineering. If you are interested in working with us, contact us online or give us a call at 410-970-6669.