Menu
DevSecOps
DevSecOps stands for Development, Security and Operations. DevSecOps can be viewed as an evolution of the DevOps practice resulting from the philosophy of including Security in the design step as opposed to an afterthought at the end of development.
DevOps orchestrated rapid development cycles, which has become a norm in and a necessity in today’s software development, security can no longer be pushed towards the end both for the effectiveness of system security and to maintain the agility of DevOps based SDLC. Hence, a mindset change was necessary to incorporate security into the mainline development process. Agile development ultimately evolved into DevOps as a natural evolution of the methodology through shared development and operations practices for a more effective integrated approach; DevSecOps is the next step in the same evolution.
As with the evolution to DevOps, DevSecOps requires a shift in mindset towards further integration of development and operations. Indeed, DevSecOps goes a step further by proposing to integrate security perspectives across the process. The schematics below depict how the DevOps process is modified by DevSecOps.
This integrated security approach adds robustness to the existing agility of the DevOps development life cycle while ensuring the security perspective does not inflate the cycle times. With security taking center stage in IT systems, the DevSecOps practice is gaining prominence as the de facto practice in the software development world.
Building a secure SDLC involves securing each step in the SDLC to incorporate security considerations.
A brief summary follows:
- Scope and Plan – Scoping and planning exercises should include preparing each of the subsequent phases of the SDLC to maintain security requirements. Identifying the full security needs, such as compliance to a specific standard, or a set of vulnerabilities, is critical so that these needs can be met and maintained through the full lifecycle.
- Design – This is the phase where the needs from the previous phase are designed into the system build, following established principles [ref].
- Develop – The design is implemented in the development phase. If possible, automated tools should be employed to ensure the integrity of each part of development – code, repository, etc.
- Test – Automated testing is ideal for this phase, to provide the widest and deepest possible security testing without meaningfully slowing down the process.
- Deploy – Since the production environment is separate from the development environment, it is necessary to include separate security checks. Breakdown or compromise at this stage in the application may not be apparent at the functional level.
- Monitor – Employ monitoring tools to maintain watch in the system and safeguard against the omnipresent threats in cyberspace. This consistent attention is essential as without it the security measures in the previous stages will be undermined.
Stacktics DevSecOps professionals provide Strategic DevSecOps Consulting, Security Assessments, Solutions Development and Monitoring/Testing that best meets your organizational needs. Our Security Assessment methodology encompasses established DevSecOps principles across all perspectives including People, Data, Applications and Infrastructure.
Strategic Consulting
Strategic DevSecOps consulting is valuable for those organizations developing a roadmap to establish policies, processes and procedures to enable best in class security practices within their organization.
Security Assessment
Security assessments evaluate the current state of an organizational security posture and provide recommendations to secure organizational development processes (SDLC).
Implementing these recommendations will mature the organization’s practice in accordance with industry established guidelines such as SLSA.
Solution Development
Solution development creates software solutions by following established industry DevSecOps principles. The solutions developed conform to the industry standards as described in the previous section.
Monitoring/Testing
Testing and continuous monitoring of the system is the final piece in a robust framework which will instill security through every stage of the development process. A Devsecops team will guide practice and operate tools to test and monitor the system to ensure security on a continuous basis.
Contact Stacktics today to mature your development operations and secure your business.
Have a question, get an answer. We would be happy to chat.