DevSecOps and Continuous Security

After many years of shifting to DevOps, we see nowadays a rising trend of DevSecOps . This is mainly for two reasons. First, there are far more security threats these days. Second, there are many more tools on the market that you can easily integrate into the CI/CD process. Therefore, DevSecOps is gaining popularity because it’s relatively easy to upgrade your DevOps to DevSecOps. In this post, you’ll learn what DevSecOps is and what it isn’t. We’ll also look into how continuous security works. Let’s get going.

DevSecOps: What It Is and What It Isn’t Let’s clarify some common myths about DevSecOps.

First of all, DevSecOps doesn’t mean that you get rid of your security team. DevSecOps doesn’t necessarily try to replace SOC engineers. Instead, it’s more about empowering application and operations teams with security capabilities instead of just offloading every security-related task to a security team. Also, DevSecOps is often implemented in smaller companies that don’t actually have a dedicated security team.

Secondly, DevSecOps doesn’t mean that suddenly all your developers need to become security engineers. Some basic cybersecurity training wouldn’t hurt, of course. But in general, the point of DevSecOps is to give developers tools and processes that help them improve security without the need for raw security knowledge.

Similarly, DevOps doesn’t mean that your developers need to learn everything about infrastructure. Instead, they get the ability to manage infrastructure with a self-service type approach.

Continuous Security

DevOps comes with continuous integration and continuous delivery . Similarly, DevSecOps is about continuous security. What does that mean, exactly? It means that if you add just one extra step to your CI/CD pipeline, that will execute a security scan that’s not DevSecOps. In order to truly benefit from DevSecOps, you can’t treat security as yet another checkbox to tick in your pipeline.

Don’t Treat Security as a Roadblock

Security isn’t something that always tries to slow you down and only creates problems. This assumption often comes from how security teams worked in the past. They had to block many of your ideas because there weren’t many good cloud-native security tools. But that’s not the case anymore.

And if you implement DevSecOps and Continuous Security properly, using modern tools, security won’t be a roadblock for you. Instead, you’ll actually get more freedom.

For example, firewall rules approvals don’t need to take a few days. Therefore, they don’t need to limit you in what you can and what you can’t open. This is only the case if you try to adapt a traditional IP: PORT-based firewall to modern environments. But if you use native, next-gen Layer 7 firewalls, approvals can be done much more quickly and easily.
Security for the Whole SDLC Process
Last but not least, the “continuous” part of continuous security means that you should include security on multiple steps of the SDLC process.

Start by checking code for security flaws already in the code writing steps. You can do that, for example, by installing plug-ins for your IDE. Security-focused plugins will lint and check the code for common issues.

Next, perform security scanning at least twice in the CI/CD pipeline : once for the committed code itself, and the second time for the generated artifact (for example, a docker image).

Don’t stop security once the code is deployed. Quite the opposite!

In the case of containers and Kubernetes, you can install a runtime security tool. Such a tool will check for any malicious activities on the running containers after the code is already deployed.

Summing up and Learning More

DevSecOps is becoming more popular. At the same time, it can be easily misunderstood. If you understand well what DevSecOps is and what it isn’t, you probably won’t hesitate to upgrade your DevOps processes.

DevSecOps and Continuous Security helps modern teams move faster while increasing security at the same time. Implementing DevSecOps means that security is no longer a roadblock. It helps you bring actual values without compromising developer experience.

If you want to learn more about this topic, join our Cybersecurity Hackathon for comprehensive learning sessions. And don’t forget that Cprime has lots of other courses available too.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cprime

An Alten Company, Cprime is a global consulting firm helping transforming businesses get in sync.