DevSecOps (Development-Security-and-Operations), has been one of the major concepts integrated in modern application development, and lifecycle. The concept of this practice enables the integration of application security testing, at every development stage of the software program.
In general, it is considered a secondary layer, above DevOps (Development-and-Operations i.e. focuses only on development and operations).
DevSecOps is of the philosophy, which initiates security as part of the entire development-to-deployment of a software program, and not security as an afterthought. This concept contributes to detecting security flaws or vulnerabilities during the early stage of the software development, which inherently minimizes the risk at the early stage of the software development.
UNDERSTANDING THE KEY WORDS IN DEVSECOPS:
- Development (DEV):
During the development stage of the program, various concepts are implemented. These concepts include the planning, coding, building, and testing of the software application. The importance of this stage is to ensure the development of a fully functional software program that meets all the checklist in the requirements indicated for the project.
- Security (SEC):
Security in DevSecOps emphasizes the importance of the integration of security right from the beginning of the project, and not later or an afterthought implementation. These security practices are automated, providing the advantage of regular checks performed continuously, based on the written code, and not waiting until development process completion.
- OPERATIONS (OPS):
The entire operations team in DevSecOps are responsible in pushing the software into production, and monitoring its performance, and addressing any issues immediately they are observed or discovered.
In the DevSecOps implementation, the operations team works together with both the software developers and the security experts. This is to address operational concerns during the development stage.
THE TWO DISTINCT STRUCTURES OF DEVSECOPS:
- Security-as-Code. (SaC).
- Infrastructure-as-Code. (IaC).
Security-as-Code (SaC):
The concept of Security-as-Code (SaC) in DevSecOps involves the integration of automated security concepts directly into the entire software development process, as part of the SDLC (Software-Development-Lifecycle). The SaC concept adopts the proactive measures (offensive security Red Team), rather than reactive strategies (defensive security or Blue Team).
Infrastructure-as-Code (SaC):
Infrastructure-as-Code in DevSecOps, is a practice which deals with managing and providing resources in computer data centers, adopting machine readable definition files, and not relying solely on interactive tools, or manual configurations.
IaC makes it easy for developers to define their infrastructure specifications in code, which provides code editability, distribution, and consistency in provisioning in the same environment always.
Infrastructure-as-Code in DevSecOps, is automation based and represents resources such as virtual machines, networks, databases, and load balancers as codes, making it easy and organized in setting up, and maintaining the infrastructure.
IMPLEMENTING SECURITY CONTROLS IN DEVSECOPS:
The early stage of DevSecOps, security controls, and testing needs to be embedded in every stage of the SDLC. This security implementation should adopt automation concepts with tools that have proven to meet, go above, and beyond in detecting security flaws that exist in a code.
COMMON DEVSECOPS TOOLS:
These common DevSecOps tools are
- Checkmarx.
- Splunk.
- Burpsuite
- Metasploit.
- SonarQube.
- OWASP.
- Veracode.
- Synk.
- GitLab.
- Skyhawk Security.
- Prisma Cloud.
Some of these tools provide the integration of both DAST (Dynamic-Application-Security-Testing: during production state), and SAST (Static-Application-Security-Testing: before deployment) e.g. Metasploit.
The use and integration of these tools during the SDLC provides cost effectiveness, and code program efficiency. Furthermore, implementing these tools in an automated fashion provides the security analysis within the Continuous Integration (CI) and reduces the vulnerabilities which may exist in the program code during the early stage of the SDLC.
AUTOMATION TOOLS LIMITATIONS IN DEVSECOPS:
In DevSecOps while using automation approach has proven to be beneficial, it is no doubt there are downsides to this method, resulting to certain vulnerabilities not being detected. The common limitations, that may be faced by the DevSecOps team, when implementing automation tools are:
- Session Handling.
- Captcha Controls.
Session Handling:
The handling mechanism implemented during the software development restricts automation attacks, into penetrating the software program. The session being terminated, and session token implemented, will result in the automation tool not accurately obtaining the actual error message, as each session is terminated at a specific time frame, and a new token issued by the software.
Captcha Controls:
Content Delivery networks (CDN) and modern software applications, implement sophisticated security measures known as Captcha. This captcha involves solving image problems, mathematical problems, or even puzzles to prove that the user accessing the program is human.
This security measure is known as Captcha Controls, and serves as a security mechanism or defense, which hinders automation tools from gaining access to the program.
However, this concept is not too complicated, as understanding how the captcha is implemented, and delivers the puzzles to the user, security experts can be able to bypass the captcha controls or security.
What are the benefits of DevSecOps?
THE BENEFITS OF DEVSECOPS:
- Fostering and Improving Collaboration:
DevSecOps fosters the relationship and improves the collaborative efforts between the Development, Security, and Operations teams. It also encourages the team to have shared responsibilities, and the importance of security among all team members.
- Early Vulnerability Discovery:
Integrating DevSecOps throughout the SDLC would assist the teams in the early detection of vulnerabilities that are within the codes of the program and enable these security weaknesses to be addressed.
- Swift Software Release Cycles:
The implementation of security into the project workflow, assists the entire team to address vulnerabilities earlier identified in the software, and swiftly release security patches, and software updates while adhering to and not compromising security principles.
- More Positive Compliance:
With the implementation of DevSecOps during the SDLC, the team can implement and adhere to security practices, ensuring the software program complies with government regulations, and security standards. e.g. (ISO27001, GDPR, HIPAA, Sarbanes Oxley etc.)
Conclusion:
In conclusion, DevSecOps is a part of Cybersecurity which emphasizes the importance of security, and the need for security to be a part of the SDLC, and not to be considered as an afterthought.
References:
- Hands-On Penetration Testing for Web Applications. By Richa Gupta.
- Web Security For Developers. By Malcolm McDonalds.
- What is DevSecOps? | IBM.
- What Is DevSecOps? Definition and Best Practices | Microsoft Security.
- What is Infrastructure as Code? – IaC Explained – Amazon Web Services.
- Infrastructure as Code – Cloud Adoption Framework.
Put your comments below in the comment section on your thoughts about this.