How to Implement a DevSecOps Pipeline

Introduction to DevOps, Security, and DevSecOps

DevOps is a set of practices that seek to reduce the development cycle by combining software development with IT operations. This arrangement traditionally leaves security as an afterthought. As the whole point of DevOps is to reduce the development lifecycle, relying on a separate team to tackle security concerns as the project nears completion is an unnecessary bottleneck. Therefore, software produced under this paradigm is either not as secure as it could be, or not as rapidly developed.

Bringing DevOps to Security

Security may be the last aspect of development that has been brought into the mindset behind DevOps, but the benefits are the same. Security as a final stage problem creates a bottleneck in two ways: The security team can’t get to work until the product is already done, but worse, there may have been bad practices throughout the development cycle that harm the security of the end result. By shifting left, not only is everything done at once, but security becomes a part of the design constraint of the software. Just like the move from traditional development to DevOps, making the move to DevSecOps will result in getting better results in a shorter time period.

1. Threat Modeling

In a traditional DevOps workflow, functionality is king. The team is focused on making a product that does what it’s supposed to do and does it well. With DevSecOps, you need to move beyond that thinking. Like the way a good QA person will look at the functionality and try to find ways to break it, a good security person will look at it and try to find ways to break into or abuse it. So, in the same way the QA team makes your software less buggy, the security team makes it more secure.

2. Using OWASP

The Web Application Security Project (OWASP) is an online community that provides a ton of great resources for security teams. In addition to raising awareness of the top ten security threats faced by web applications, the community publishes a number of testing guides to help take the mystery out of security. OWASP also maintains a list of tools for source code analysis, vulnerability scanning, security pipelines, testing, and more. These tools can be implemented into your development workflow to aid in the threat modeling and automated tests that are required to successfully integrate security into DevOps.

3. Identity and Access Management (IAM)

Controlling access and ensuring that only the proper people have privileges that could put the security of your software or the data of your business or customers at risk a huge part of security, be it DevSecOps or traditional. Identity and access management (IAM) is important for both the software you are developing and the systems you are using to develop it.

4. Security Focused Deployment Patterns

Like development itself, the job of the security team isn’t over when the product is ready to ship. The process of deployment and the timeframe afterward are also important factors in keeping your software and your users’ data secure. There are some best practices for deployment that will aid in keeping any problems that crop up from a new release under control.

5. DevSecOps and Operations

Just as with DevOps, everyone comes together to make DevSecOps work. The operations side of the equation has plenty to do in order to ensure your product is as secure as it can be. Like many other aspects of DevOps, there may be some crossover here. That’s a good thing. What makes these paradigms so successful is that there is so much that can be accomplished jointly. Some examples of that for operations include maintaining release archives so the company can quickly roll back if needed, or maintaining and monitoring logs and other alerts.

6. Setting DevSecOps Policy

A common framework in DevOps is GRC, which stands for governance, risk, and compliance. Governance refers to the leadership, guidance, and specific policies that a company puts into place to achieve their goals. Risk is any uncertainty that could cause problems. Compliance is a way of ensuring that a set of guidelines or standards are applied. When everyone comes together to make it happen, as is the DevOps way, GRC becomes a guiding principle that allows a company to reliably achieve objectives and maintain its integrity.

7. Managing Change in DevSecOps

There’s always some level of risk involved in change. That risk is only amplified when security practices and procedures are a part of the change. Still, managing change in DevSecOps looks a lot like managing change in any DevOps environment. ITIL change management still provides the overarching framework that is augmented with specific policies that are relevant to a given business.

8. Monitoring Key Metrics

Keeping an eye on important metrics is an effective way of keeping everyone on track. There are metrics that can help you follow the progress of every aspect of development. Some important security-related metrics include:

  • Number of security tickets opened — It stands to reason that this number should be as low as possible. It can also be helpful to track the number of issues found during development. The goal is to trend towards more issues found during development rather than after deployment.
  • Number of failed security tests — A failed security test means more work finding and fixing the problem. One of the benefits of having security combined with DevOps should be a reduction in such failures.
  • Remediation time — This is the time it takes from discovery of a vulnerability to the time that it is fixed. Working to keep this number low will avoid vulnerabilities becoming a bottleneck in your processes.
  • Deployment time — This is similar to remediation time, except instead of focusing on when the vulnerability is fixed, it focuses on when the release is pushed to users. Quick release times give everyone the peace of mind of knowing that security problems aren’t in the wild for long.

Learn More

We’ve introduced a lot of concepts in this post, but implementing a DevSecOps pipeline is a fairly complex subject that can’t be adequately covered in a single blog post. If you want a step-by-step explanation of the processes, tool, and pitfalls you’ll encounter while building your DevSecOps operation, consider signing up for Cprime’s DevSecOps Boot Camp. We’ll tell you everything you need to know in order to get your new team working together to build more secure products. If you have any questions about the boot camp, please do not hesitate to contact us.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cprime

Cprime

An Alten Company, Cprime is a global consulting firm helping transforming businesses get in sync.