26 Oct Why what and how: A complete guide to DevSecOps
Why what and how: A complete guide to DevSecOps
DevSecOps, short form for development, security and operations is a process that integrates security at every stage of the software development cycle from initial design through integration, testing development and finally software delivery. The DevSecOps approach has revolutionised the way organisations implement security in their software building process. The traditional security approach had organisations perform security checks or tests only at the end of the software development life cycle. The focus of the approach was predominantly application development and product delivery rather than security. By the time the testers or engineers checked the software for bugs, the product would have passed though initial stages of development and was almost fully developed. Finding and rectifying bugs and security threats at such a late stage meant reworking the codes again from scratch which was a very arduous and a time-consuming process. Thus, patching became the preferred solution or fix for bugs and security threats.
The proliferation in cybercrimes has resulted in such an advanced approach. Initially the software updates or patches were released only once or twice a year. Increase in attacks rendered the traditional tacked on approach useless as developers aimed to reduce the software development cycles.
DevSecOps is a process which integrates security into the each and every stage of the software development workflow. This helps in addressing and tackling issues as and when they are discovered at every stage rather than the product to be fully developed and then address the security issue at the last stage. This way, the threats or bugs are easier, faster, less expensive and less time consuming to fix. DevSecOps is an approach that states, security is a shared responsibility of development, security and the operations team rather that working in a silo type of structure. This ensures rapid and secure product delivery which was just an oxymoron in the security industry before the DevSecOps approach came into the picture.
Benefits of DevSecOps
The main aim of the DevSecOps approach is to induce security as a shared responsibility among the different teams and also ensuring fast and secure code delivery with security as the main constituent. The following are the benefit:
Swift and economical software delivery: When a software is developed in a non DevSecOps environment security delays and fixes can cause a huge time delay as the testing phase is done after the product is fully developed. This can be an expensive affair as well as the codes need to be reworked and developed from the scratch. DevSecOps integrates security at each and every stage which addresses the security issues at every stage and saves time by not repeating processes and procedures. This integrated approach eliminates, reworking, unnecessary rebuilds and duplicate or multiple reviews thus making it a cost effective and a rapid affair.
Better collaboration and improved security: Since security is integrated from the beginning of the software development cycle, the security codes are reviewed, audited, scanned and tested for security bugs at the end of each stage. The security issues are addressed or resolved immediately before additional or new dependencies are introduced and implemented. The shared security responsibility among the development, security and operations team improves the organisations response to security mishaps and errors which reduces the time taken for development.
Accelerated security patching: No system is failsafe and when new vulnerabilities and threats appear, the DevSecOps approach ensure rapid management of vulnerabilities. This approach integrates vulnerability scanning and patching into the release cycle in a timely manner which limits the threat and opportunity window an attacker has between the release of the software and release of a patch to address the vulnerability.
Automated process: Security testing can be integrated into an automated test suite for the operations team by an organisation if it carries out continuous integration pipeline process for software development. This automated product process relies on the product developed and the organisation goals.
Adaptable process: As organisations evolve, their security requirements and processes also evolve. The DevSecOps is a repeatable and an adaptable process which integrates security and implements a shared security model consistently across new environments to match the new needs and requirements. A completely mature DevSecOps implementation has solid automation, substantial configuration system, a steadfast orchestration and a strong infrastructural environment.
Types of testing in DevSecOps
There are two types of testing process in the DevSecOps approach
Continuous testing: is a process of performing and executing continuous stream of automated tests as a part of software delivery pipeline in order to receive feedback each time a code change is implemented. Improvement through feedbacks and quality enhancement is the main aim of continuous testing process
Functional testing: Is a process or testing method which ensures that a part or a piece of software are operating correctly and as per the pre-determined requirements. Examples include Unit testing, regression testing, smoke testing, production testing and API testing.
Where to test in DevSecOps?
IDE: Integrated development environment is an application which contains a source code editor, build automation tools and a debugger used in creating a software. Testing on IDE helps in achieving inbuilt security features that aligns with business requirements and create a robust software.
Scanning tools: Automatically scan for and detects vulnerabilities and bugs at each stage. Is highly recommended static code analysis of application source code. Highly customised scanners is efficient in searching or detecting predefined vulnerabilities and errors.
Pentesting: fully integrates into the DevSecOps environment bringing value to different teams. Although its slow and inflexible nature is a challenge in integrating it into the DevSecOps approach. It works best where chained exploits and business logic issues are found. Is a powerful layer of defence to detect vulnerabilities that are not caught by automated checks.
Regression: Is a testing process which tests previously developed or tested features to ensure it is working as per the requirements after a change is implemented before a new software version is released.
Manual Code review: Is done with collaboration with the development, security and the operations team by reviewing the codes line by line to check for errors and vulnerabilities. Though this type f testing is secured and enhances security, it requires a lot of skills, patience and time.