As security threats continue to mount, it can be a challenge to keep up. As a system administrator, I can attest to the fact that securing data and resources is a journey, not a destination, and a ham-handed, bureaucratic approach to the concept is bound to fail. For instance, vulnerability reports that mandate a mindless approach such as shutting down test systems which 'might' be compromised or rebooting production systems in the middle of the day to roll out emergency patches only complicate business operations and generate resentment among users or customers. Creativity, common sense, and a nimble attitude are key elements to properly managing security.
Fortunately, new approaches to managing risk are also evolving to meet the challenges and bring forward-thinking technological and operational innovation to cybersecurity. DevSecOps is a mindset advocating just such an approach.
What is it?
Like DevOps, DevSecOps seeks to achieve greater efficiency and productivity through team collaboration, but the DevSecOps approach incorporates security principles.
Why does it matter?
DevSecOps practitioners seek to work alongside developers at every step of the way, unlike traditional security approaches, which can be slow and come along too late in the deployment process.
Who does this affect?
DevSecOps is primarily comprised of security experts and technological workers, but all users who run or rely upon software are affected by security principles, good or bad.
How do I implement it?
DevSecOps concepts require a gradual shift to company culture and infrastructure. The core concepts are available via the DevSecOps site as well as a LinkedIn group and social media outlets.
What is DevSecOps?
DevSecOps is similar to DevOps in that both seek to achieve better results through greater operational focus and communication, but in this case the framework involves security principles. DevSecOps represents a mentality as promoted by a group of security practitioners. Their philosophy involves building security into applications so it's baked in rather than applied after the fact -- or worse, retro-fitted on. TechRepublic covered the DevSecOps approach earlier in 2017 in an analysis of some of their other concepts which include threat modeling, risk assessment, automation of security tasks and an emphasis on team collaboration. In short, security principles and communication should come into play every step of the way when building applications.
The DevSecOps philosophy was created by security practitioners who seek to "to operate and contribute value with less friction." These practitioners operate a website which details their approach to better security, explaining that "the goal of DevSecOps is to bring individuals of all abilities to a high level of proficiency in security in a short period of time. Security is everyone's responsibility."
The DevSecOps manifesto involves principles such as building a platform of least-privilege access, focusing on science and avoiding fear, uncertainty and doubt (FUD), collaboration, consumable and business-driven security services, team testing to analyze potential exploits, continuous security monitoring and sharing intelligence.
Why does it matter?
The DevSecOps community promotes direct action to ferret out potential issues or exploitable vulnerabilities. In other words, they think like the enemy and perform similar tactics such as attempting penetration testing to determine exploitable vulnerabilities which need remediation.
DevSecOps differs from traditional security methods which tend to be more bureaucratic, involve mandates from a central authority, and can be monolithic or 'one size fits all'. These factors can actually hinder security measures as they often focus on insignificant hypotheticals versus actual real-world threats. For instance, rather than focusing on how an exploit theoretically 'could happen' if certain conditions occur but the impact would be low, address a vulnerability which can be demonstrably leveraged to gain root access and is quite likely to lead to a system breach if left untended.
A blog post on the DevSecOps site lays out the core principles and philosophy of the community:
"The mindset established by DevSecOps lends itself to a cooperative system whereby business operators are supplied with tools and processes that help with security decision making along with security staff that enable use and tuning for these tools. In this case, security engineers more closely align with the DevSecOps manifesto, which speaks to the value that a security practitioner must supply as well as the changes they must make to enable security value to be supplied to a larger ecosystem. In this way, the value that DevSecOps engineers supply to the system is an ability to continuously monitor, attack and determine defects before non-cooperative attackers might discover them. And because of these changes DevSecOps engineers are hugely useful as competitors to external attackers. This allows for all, including security staff, within the business ecosystem to contribute to iterative value creation without the additional pain of attempting to acquire severely scarce security practitioners to be added to DevOps teams."
Another post encourages security teams to "eat your own dog food" and utilize the same security controls and processes they build into software code. For example, using multi-factor authentication which requires hourly logons. The goal is to get familiarized with the challenges and pain points:
"Eating your own dogfood extends beyond policies. The security services built by our team do not special-case our other services. Our account is graded, just as every other account is. Our account can receive a failing grade, too; although it should not be difficult to imagine the difficulty in convincing other teams to increase their security grades when the security team's score isn't leading the company. And so, our time is spent developing means to keep our team's score as high as possible. The expertise and tools can be shared with the rest of the company to help them also keep their security scores high."
DevSecOps offers projects to help improve and respond to security issues. For instance, they provide a list of tools as contributed by their community. There is a free DevSecOps bootcamp you can participate in to hone your skills or just learn more concept of secure coding. You can review some interesting security presentations on their site as well.
Who does it affect?
DevSecOps principles are intended to affect developers, technologists and security professionals -- in short, development and operations personnel. However, they can also assist executives, managers and other leaders who need to improve their security focus. Whether you are responsible for designing secure code, managing the systems which run it, or securing your corporate environment, DevSecOps can provide the insights and information needed to weather today's security hazards. It's free to participate and all information is open-source.
How do I implement it?
DevSecOps requires an increased focus on collaboration (both within and between teams), automation and building security as you go. Adopting these principles is a good first step to implement this mindset. Like DevOps itself, this is not a culture which can be immediately applied, but will require gradual changes as the various concepts are applied within the organization and existing frameworks are replaced with new practices.