People. Process. Technology. Governance.
Enhance collaboration across Development, Operations & Security processes
Overview
The DevOps movement has pushed for and succeeded in breaking down barriers and silos within organizations dividing teams into specialized functions of Development and Operations. DevOps enables organizations that embrace the movement and culture to be more competitive by enabling faster, more reliable software releases by leveraging automation to replace manual processes involved in shipping software.
A side effect of this speed is that security tools and processes need to move at the same pace to keep up. The idea driving DevSecOps or Rugged DevOps is to bake the security testing of the application under development into the process used to ship it. Automation of these processes takes people out of the chain and puts them in a different capacity. Instead of people being the process, tools and automation are the process and people monitor and respond to process failures. Thus, combining the strengths of both computers and people.
What Is the ‘Sec’ in DevSecOps’?
SecOps, short for Security Operations, is an approach for bridging the traditional gaps between IT security and operations teams in an effort to break silo thinking and speed safe delivery. The emerging practice requires a sea change in cultures where these departments were separate, if not frequently at odds. SecOps builds bridges of shared ownership and responsibility for the secure delivery process, eliminating communications and bureaucratic barriers.
DevSecOps strives to automate core security tasks by embedding security controls and processes into the DevOps workflow. DevSecOps originally focused primarily on automating code security and testing, but now it also encompasses more operations-centric controls.
There are six important components of a DevSecOps Approach:
Code
Analysis
Change
Management
Compliance
Monitoring
Threat
Investigation
Vulnerability
Assessment
Security
Training
The Safety and security measures inherited in DevSecOps have the many advantages like:
Greater Speed and Agility for Security teams
More Opportunities for automated builds and quality assurance testing
An ability to respond to change and needs rapidly
Better Collaboration and Communication among teams
Early Identification of Vulnerabilities in Code
Team member assets are freed to work on high value work
Approach
So, if you are intent on strengthening your DevSecOps posture, where should you begin? Here are several actions to get started:
Extend situational awareness.
Extend the reach of your security operation into the Dev domain and the pipeline. Identify and collect security-related metrics from these domains.
Establish pipeline security.
Automate your platform security in areas such as setup and configuration confirmation, then place the code and policy for this under secure control. Automate the mundane and automatable security-related tasks in the development pipeline. Enhance your design for DevSecOps — release packages, deploy, undo, redo — to enable rapid regressions in case an exposure is identified.
Leverage services.
Explore digital applications DevSecOp services to limit platform subversion for environments, servers/VMs, containers and storage through separation, encryption and virtualization. Consider autonomic security testing for platform and pipeline. Consider how you secure cross-boundary interconnects, including IDAM, API gateways and endpoint detection and response (EDR). Consider how you easily provide access to pervasive trust services and how you control privileged access.
Clarify responsibility.
Consider how you clarify responsibility for overall security and individual responsibilities for securing elements that include:
- Big-picture architecture
- Security controls and countermeasures
- Pipeline security for apps
- Pipeline security for platforms
- Pipeline security services
- Common security services
Apply security by design.
Consider how you strengthen and apply security by design. Adopt and develop a CRA (see next page) and consult it regularly — it should continually change, mature and improve. Consider how you can link risks to controls and countermeasures to aid change impact and traceability.
Use state-of-the-art controls.
Consider how you monitor the security landscape and state of the art. How can you constrain subversion to the control processes and process interactions of the application only? Consider workload segmentation and process-level protection using code and policy. Also, consider micro segmentation with code and policy. Micro service architectures can improve security posture through defines-in-depth and isolation. Deception technologies are another viable alternative. And consider using behavioral analytics in both the live operational domain and the pipeline domain.
Adopt a CRA.
It’s clear that integrated, proactive, comprehensive security results from extensive planning and preparation. What’s less clear is how to ensure your company has developed a plan that clearly identifies your needs in all security domains and that the right prescriptive steps have been defined to address them. The best way to do this is to adopt a cyber-reference architecture, such as DXC’s CRA.
