Edited By – Akash Goel
The purpose and intent of DevSecOps is to build on the mindset that “everyone is responsible for security”
Integrating DevOps + Security = DevSecOps
David Cearley, an analyst at Gartner Inc believes “It’s development, it’s security, it’s operations operating as a dynamic force to create solutions”.
One of the goals of the DevOps philosophy is to bring down the walls between Development and Operations. Well, DevSecOps is the next evolution, where Development, Operations, and Security work together from day 1. With DevOps, you might have a team of 5 Developers and 1 Ops guy that works with the team. In DevSecOps, add 1 Security specialist to that team.
The DevSecOps (or Rugged Ops) concept is an extension of the DevOps philosophy. DevSecOps emphasizes the importance of integrating the security team into all parts of software development and deployment, rather than leaving them disconnected. When security experts are involved in designing, testing and managing code, they stand a better chance of helping an organization to discover and fix vulnerabilities before software goes into production.
Switching to a DevSecOps model in software development offers many benefits, but combining security and DevOps takes knowledge and planning.
The Security Opportunity of DevOps :
DevOps provides a huge opportunity for better security.
DevOps automation spans the entire pipeline- from code development, testing, to infrastructure configuration and deployment. When done right, DevSecOps enables you to:
• Secure from the start: Security can be integrated from the early stages of your DevOps processes, and not as an ‘afterthought’ at the very end of the software delivery pipeline
• Secure, automatically: As more and more of your tests and processes are automated – you have less risk of introducing security flaws due to human error, your tests are more efficient and you can cover more ground, and your process is more consistent and predictable-o if something does break, it’s easier to pinpoint and fix.
• Get everyone on the same page/pipeline: By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy their updates, InfoSec becomes a key component of the delivery pipeline and an enabler of the entire process.
• Secure both the code and the environments: By creating manageable systems that are consistent, traceable and repeatable you ensure that your environment is reproducible, traceable and that you know who accessed it and when.
<Image Source : https://blog.radware.com/wp-content/uploads/2017/01/devsecops.jpg>