DevSecOps (Development, Security and Operations) is a methodology that augments DevOps practices and involves not only close collaboration among DevOps teams, but also the application of best security practices at every stage of the software lifecycle.
DevSecOps introduces no fundamental changes in the DevOps process, but views them through the lens of security. In particular, DevSecOps makes it possible to move away from the practice of checking ready-made code for compliance with security policies, and to introduce control mechanisms at all development stages.
DevOps and security
The DevOps methodology seeks to optimize the process of creating and updating software products. One of the primary goals of DevOps is to speed up the release of new versions of applications with no loss of quality.
Often seen as a brake on development, DevOps security-checks can get postponed or excluded from the production cycle so as to keep pace with the competition. This allows vulnerabilities to creep in at various stages of product development and operation. The result is vulnerable software that requires a lot of resources to fix. The task of DevSecOps is to reintroduce security control into the DevOps cycle without overcomplicating the process.
DevSecOps principles
DevSecOps is based on the following principles:
- Collaboration among DevSecOps teams. There is no friction among those involved in the process: developers, IT/IS departments, etc. On the contrary, all are united by the common goal of making a high-quality, secure product.
- Everyone is responsible for product security. Each team member is responsible for product security at their respective stage of development, and prepares reports on compliance with security standards.
- Standardization and automation. Security requirements for each stage are standardized, and necessary checks are automated where possible.
- Increasing information security awareness of DevOps teams. Employees’ information security knowledge is kept up-to-date, regardless of their tasks.
- Measuring, monitoring, reporting, implementing. Security parameters, development stage timeframes, frequency of releases, the amount of product testing, and other aspects are translated into numbers that employees can use as a reference in building and enhancing processes. At the same time, the metrics for assessing performance at different stages do not contradict each other.