Software runs our businesses today. It powers operations, transactions, communications—just about every facet of the digital organization. It follows that ensuring the security of applications and operating systems is a major priority for development and security teams. This is where DevSecOps plays a key role.
Development, security, and operations
DevSecOps is short for development, security, and operations. An extension of the devops model for software development, it involves applying security measures throughout the software development life cycle (SDLC). DevSecOps calls for everyone involved in the development process to be aware of the need for security. As a model, DevSecOps encompasses a set of practices to increase collaboration between the security, development, and operations teams, with the goal of making software more secure.
Examples of DevSecOps practices include security design reviews, scanning code for security vulnerabilities, and remediating bugs that present legitimate threats. By introducing security earlier in the SDLC, DevSecOps ensures that the organization takes security seriously rather than treating it as an afterthought. Part of the effort of instituting DevSecOps includes making the necessary process, cultural, and technology changes.
Why DevSecOps matters
Software vulnerabilities can become entry points for cybercriminals to launch attacks, and these attacks can affect entire supply chains. A recent example is a vulnerability discovered in Apache Log4j in late 2021. Log4j, a Java package located in the Java logging systems, makes it easier for Java applications to log data. It is widely used and highly pervasive.
Late last year, engineers discovered a remote code execution flaw in Log4j that lets hackers take control of systems and their data. The bug also puts millions of devices at risk. In fact, any internet-connected device running certain versions of Log4j is at risk of being impacted by the bug. Given how pervasive Log4j is, the threat is serious.
Log4j is just one example. Given that digital businesses are highly reliant on applications, ensuring software security is extremely important. DevSecOps is a model for doing it.
Jim Mercer, research director, DevOps and DevSecOps, at International Data Corp. (IDC), notes that application security and software supply chain security are getting a lot of attention due to high-profile vulnerabilities such as Log4j, The research firm expects double-digit growth of the DevSecOps tools market to continue through 2026.
Benefits of DevSecOps
Organizations can benefit in a variety of ways from adopting the DevSecOps model. Perhaps the most obvious is stronger software security. By putting security controls in place at the earliest stages of development and then continuing the focus on security right through to production, development teams can deliver more secure products.
Another benefit is the increased collaboration between development and security teams. These teams can sometimes be at odds because of their different objectives. The resulting friction can impact productivity. Working together toward collaborative goals is one way to mitigate friction. For developers, there is also an opportunity to gain new knowledge related to cyber security.
Yet another benefit is faster software delivery. DevSecOps encourages teams to evaluate, revise, and test code at each step of the development process, rather than putting off this part of the development cycle until later. Testing often helps teams avoid complex and time-consuming revisions to fix security vulnerabilities down the line.
Does DevSecOps replace devops?
DevSecOps is not as much a replacement for devops as an evolution of the model. DevSecOps evolves the core concepts of devops with an emphasis on security.
Devops is an approach to software development that highlights collaboration, communication, and close integration between an organization’s software development and IT operations functions. In devops, the goal is to produce software more quickly and efficiently. As the name implies, DevSecOps adds a security layer to development and operations processes encompassed by devops.
There is considerable overlap between the two—for example, they both emphasize automation and team collaboration. But in the case of DevSecOps, the collaboration is between development and security professionals, whereas in devops it is between development and operations.
Organizations can deploy a number of technology tools to support their DevSecOps programs. These tools help minimize risk in software development pipelines without slowing down production. They do this by finding and remediating vulnerabilities through continuous security testing.
DevSecOps tools also enable security teams to efficiently manage the security of development projects without needing to manually review and approve each release.
One example of a DevSecOps tool is the vulnerability scanner. These tools automatically scan software at various stages of development to look for known vulnerabilities. Open source vulnerability scanning, or software composition analysis (SCA), identifies and compares the open source components of your software against vulnerability databases, software vendor advisories, and other security sources to detect flaws.
Another DevSecOps tool is static application security testing (SAST), which enables developers to scan source code to look for weak or insecure coding. This sort of testing can identify possible security issues that need to be addressed. Integrating SAST into the DevSecOps SDLC helps to ensure that vulnerable components are fixed before they move along the various stages of the pipeline.
How to become a DevSecOps engineer
One of the key roles in the DevSecOps arena is DevSecOps engineer. The technology career site Dice.com notes that the need for secure code is fueling increased demand for these professionals.
One of the most important skills for a DevSecOps engineer is the ability to test applications for security flaws, according to Dice. DevSecOps engineers also need to be knowledgeable about DevSecOps tools.
Other possible skills needed include a knowledge of the devops principles and an understanding of popular programming languages such as Java, Ruby, Perl, Python, and PHP. In addition, engineers in these roles should stay up to date on the latest cybersecurity threats.
These professionals also need to have analytics capabilities to determine why code is or isn’t working, and what vulnerabilities could have emerged during the development process.
Getting a DevSecOps certification
Developers working in software security can increase their knowledge and possibly advance their careers by earning a DevSecOps certification.
For example, the DevSecOps Foundation offers certification programs through the DevOps Institute that cover topics including why DevSecOps is needed and DevSecOps culture and management, general security considerations, identity and access management, application security, and operational security.
The program prepares individuals for positions such as project manager, site reliability engineer, devops engineer, software engineer, maintenance and support staff, release manager, scrum master, and more.
Copyright © 2022 IDG Communications, Inc.