What is secure DevOps?
Secure DevOps, also called DevSecOps or Rugged DevOps by practitioners, is a term often used to describe DevOps practices that include security checks and reviews throughout the software production pipeline. It’s no accident that “Sec” sits in the middle.
Secure DevOps defined: Beyond the buzzwords
Gone are the days of tossing a build over the wall and hoping that it works in production. The ideal practices in the software industry now involve deeper collaboration and cross-cutting work between development and operations. This is DevOps.
DevOps accelerates the velocity with which products are deployed to customers. The catch is that DevOps moves fast, and security must move faster to keep up.
Most of the “experts” out there just reiterate the statement that mixing DevOps with security is a good thing, without telling you how to actually do it. Fortunately, there are concrete theme and practices that make secure DevOps possible, and the place to start is with a proper definition. But first, to wrap your head around the modern ideas of secure DevOps, also known as DevSecOps and rugged DevOps, consider where it all started.
Get your head in the game, app sec
In the good old days, products were built using the waterfall process, where the release cycle was measured in years, and the security process could take almost as long as the team wanted. With the onset of agile development, however, things got speedier. Agile time is measured in weeks instead of years, and people stand up at meetings. People can still implement the security process with agile, because the pace is just slow enough, but the speed expected with DevOps is much faster. Application security must speed up to keep pace with the speed of business security automation is king.
DevOps is agile on steroids, but without all the people. People are still involved under DevOps, but in a different capacity. People are not the process: The pipeline, the set of phases and tools that the code follows to reach deployment, defines the process. Secure DevOps phases include build, test, and deployment. Build automation includes the tools needed to grab the code and compile it. Test executes the automated test cases, and deployment drops the build into its final destination. People monitor the process and respond to process failures.
Putting the “continuous” in security
A perspective on DevOps begins with all things continuous. Continuous integration (CI) is the principle that code changes are checked into the source code repository in small batches. With each check-in, the build system automatically checks out the latest version of code and goes through the build process. If the code that is checked in breaks the build, your changes get backed out and you get to figure out what caused the breakage.
Continuous delivery and deployment (CD) are principles for how the results of testing are reviewed, and the system automatically makes the decision as to what to do with the build. You run a set of tests and, if the code passes, the build moves to a staging environment.
This is the point at which a human jumps into the process and manually makes the decision to push the new code into production. CD is similar to delivery, except that testing is automated, as is the decision to push to production. There are no human beings in the build pipeline, so now you see why security must be automated, just like everything else in DevOps.
The secret to secure DevOps: It’s in the code
You must embrace two foundational principles to successfully meshDevOps and security: security as code (SaC)and infrastructure as code (IaC).
Security as code refers to the building of security into the tools that exist in the DevOps pipeline. This means automation over manual processes. It means the use of static analysis tools that check the portions of code that have been changed, versus scanning the entire codebase.
IaC defines the set of DevOps tools used to set up and update infrastructure components. Examples include Ansible, Chef, and Puppet. Gone are the days of system administrators spending time fixing problems on a system. With IaC, if a system has a problem, it is disintegrated and a new one is created to fill the spot.
Security is primarily a people problem
In any process or methodology, people create the vulnerabilities. Luckily, DevOps is also a cultural philosophy, not just a technical one. DevOps teams live and breathe the culture behind it. The hinge to success for DevOps security lies in changing the underlying DevOps culture to embrace security — with no exceptions. As with any other methodology, security must be built in.
Secure DevOps buzzwords
There’s massive confusion across the security community as to what to call secure DevOps. Terms include “DevSecOps,” “SecDevOps,” “DevOpsSec,” and even “rugged DevOps.” This hints at the disconnect that exists within secure DevOps thinking.
For secure DevOps, it’s still the Wild West our there. There is no standard that defines security for DevOps, and the chances of a standard developing are small because different organizations are doing things their own way — they can’t even agree on a standard name. There is a standard for the secure development lifecycle (ISO/IEC 27034–1), but few organizations ever validate against it.
DevOps + security is goodness
Each of these terms refers to the same exact thing: the principles of how you apply security to DevOps. The term DevSecOps appears to be seizing the day and mindshare across Twitter and at conferences. DevSecOps is the current “movement,” with its own website and a manifesto.
DevOps had the attention of the security community from almost the start — or at least from its infancy. DevOps + security is not easier than security for waterfall or agile, but it isn’t any more difficult. It’s just different, and a heck of a lot faster.
