Authored by: Cameron Curry, Senior Principal at Orasi Software
In the old world of monolithic applications, development was isolated from other critical software development stages. This changed with DevOps, and then further, with the emergence of DevSecOps.
DevOps – A quick look
DevOps is a new culture and methodology that rests on close collaboration between programmers and system administrators in the software development process. Here the two fields intersect and work together, and the benefits arising from this are as follows:
- Helps in raising the predictability, efficiency, and security of software development.
- Aligns with the fundamental credo of the agile development mindset.
- Developers become aware of the operations and the production side of any software proactively.
- Developers can create code that adapts to recent changes fast. It results in applications that are developed and delivered quickly with a robust ‘Shift-Left’ approach.
- Downtime gets reduced, the gaps between coding and actual features get cut down, and the overall roll-out time is accelerated.
DevSecOps – An overview
When you bring together all three facets – development, operations, and security – under a unified plank, this creates a DevSecOps model. It takes the collaboration and agility value a notch higher because now, even security processes are an integral part of the development. They are not left as after-thoughts or post-development exercises. They happen simultaneously as the code takes shape and gets stronger and stronger.
A lot of this is achieved by injecting automation in code quality and reliability assurance. Development works closely with quality assurance, deployment, and integration. Thus, boundaries among various phases of software development are wiped off entirely in a DevSecOps scenario.
Now, if you are wondering if these two approaches are the same or different, let’s dive deeper.
DevOps and DevSecOps – Do they rhyme or not?
While the practice of agile development, collaboration, and digital transformation run as fundamental underpinnings for both these approaches, these two realms have their distinct uses and aspects.
DevOps is a lot about speed. The whole idea of pushing processes as left as possible is to enable rapid build environments. This way, applications get developed in a faster way. They can also be adapted to quick revisions and deployed into production environments with extra levels of speed.
Now when speed jumps in, security gets pushed on the back-burner. The rush to make applications quickly often leads developers to ignore the questions that matter to security teams. With DevSecOps, the focus on accuracy and bug-resolution comes to the top surface again. Using best practices throughout the life cycle of software helps the teams to chop away many vulnerabilities and overall corporate risk.
DevOps’ key elements are microservices, Infrastructure as Code (IAC), Policy as Code (PAC), and modular application pieces. For DevSecOps, the key features are automated security, Shift-Left push on security models, and continuous feedback loops. In the first case, development is moved to the left, while in DevSecOps, security areas are pushed to the left. This can lead to a lengthier development time than DevOps. The code is secure from the very first stage. DevSecOps integrates security methods deep into a DevOps process.
How to do DevSecOps, right?
The two models can be distinct, but they are not binary. With the right approach, both teams and development scenarios can co-exist and add to each other’s strengths. The practice of DevSecOps to achieve maximum impact, hence, needs to focus on some crucial areas.
1. Do not make DevOps the enemy of DevSecOps. Put security as an easy part of the process by automating tests and creating parallel test scenarios.
2. Clearly define both types of teams’ roles and responsibilities to avoid confusion, overlaps, and duplication of efforts.
3. Instill the immense spirit of teamwork among developers, engineers, infosec specialists, and testing professionals. Any conflicts that arise should be quickly resolved and taken as a lesson for future improvement. The team should understand that security is not a compliance task. They should realize that security is essential for the success, quality, and performance of the software. This attitude will inherently bring all areas closer to each other.
4. Investments in the right tools for automation and implementation should be made. Best practices for robust software development should be embraced with an agnostic framework.
In a world where applications are assessed not just the speed of production but also their risk-factor, downtime, outage-propensity, quality-metrics, and risk-quotients – DevSecOps cannot stay alienated from DevOps. Let us stop creating more boundaries and aim for greater collaboration and maximum application impact.