DevOps and DevSecOps – The Talk of the Cloud
By now, anyone involved in application development has heard the terms DevOps and DevSecOps. Yet, despite the frequency with which these buzzwords are thrown around, many developers don’t seem to understand them.
But DevOps and DevSecOps are increasingly essential components for any application development team. They are especially important for teams deploying applications across large-scale, distributed, multi-cloud environments.
Companies focused on cloud-based applications and services should understand what DevOps and DevSecOps are, how they work in practice, and how they help streamline and optimize the development process.
So what exactly is DevOps?
Unfortunately, there is no universally accepted definition for DevOps, which is one reason that there are misconceptions about what DevOps can and should do. But there are some commonly accepted concepts, so let's start there. At the highest level, DevOps attempts to integrate quality assurance, deployment, and production consideration into earlier development lifecycle stages to streamline development and shorten delivery times. This is a long way of saying that DevOps’ goal is to get products out quickly, with fewer bugs and limited user experience disruption, with developers more involved in that process. All of this stands in contrast to previous methodologies, in which developers metaphorically threw their code over the wall and left it for operators to deploy.
And DevSecOps?
DevSecOps takes team integration to the next level. Effectively, DevSecOps creates a development culture focused on security-by-design, addressing cloud security issues before they occur. In DevSecOps, everyone involved in development is constantly aware of and focused on the need to address security concerns across the development lifecycle. Or, to use the shorthand buzzword version, DevSecOps tries to “shift left” when it comes to security considerations, the way that DevOps shifted left production and deployment considerations.
Shared values of DevOps and DevSecOps
It is helpful to understand several foundational philosophies that DevOps and DevSecOps share. Both DevOps and DevSecOps focus on quickly getting reliable, secure products to market and keeping those products updated as needed. Getting to that point requires several things from development, operations, and security teams:
Collaboration
Collaboration is the cornerstone of both DevOps and DevSecOps. Over the years, the software development process has become increasingly collaborative. But for a long time, there were still distinct silos of responsibility. Development did its work, and it was only on completion that operations entered the picture to deploy the product. Security professionals joined even later in the process, sometimes well after deployment.
DevOps and DevSecOps attempt to streamline the development lifecycle by eliminating the silos and building teams with common goals and shared trust. Collaboration between previously separate (and often mutually hostile) groups early in the development process, rather than delaying releases and causing unnecessary additional work, actually helps to reduce time to market. It also provides end-users with more reliable and secure products.
Agility
Both DevOps and DevSecOps are extensions and adaptations of agile development methodology, although they should not be confused with it. The key to agile development is speed to market. While DevOps and DevSecOps also seek to shorten time to market, they attempt to strike an optimal balance between speed and other concerns such as reliability and security.
Automation
One way that DevOps and DevSecOps achieve agility while also addressing their primary concerns is through automation. Automation of DevOps functions enables development teams to better identify and rectify issues with code before deployment. As a result, there is greater product reliability, increased speed to market, and higher consistency. And development teams can get more deliveries out the door.
Similarly, automation is essential to the DevSecOps function. Identifying potential threats and application vulnerabilities in a large, distributed multi-cloud environment would be impossible without tools allowing security teams to parse massive amounts of traffic data quickly. But automation also enables DevSecOps to inject security earlier into the development process.
How do DevOps and DevSecOps work in practice?
DevOps uses automation to create a reliable, repeatable, standardized end-to-end development workflow. The primary focus of DevOps is on two other buzzphrases: continuous integration (CI) and continuous delivery or deployment (CD). Indeed, DevOps and CI/CD are frequently used interchangeably.
Continuous integration ensures that developer changes are correctly and frequently merged into the main development branch so that everyone has timely access to the latest release. CI permits several developers to work on the code simultaneously without creating discrepancies or conflicts in the main branch.
Continuous delivery focuses on reducing the length of production cycles, enabling development teams to have products available for release at any time. CD includes automation of builds and unit tests, improving CI by allowing numerous merges each day. Continuous deployment takes the next step by including automated deployment of release candidates to production.
DevOps uses tools and practices such as containers and container management, microservices, and infrastructure-as-code (IaC) to facilitate rapid product delivery and deployment.
DevSecOps adds automated security testing during development. It encompasses vulnerability assessments, configuration issues, logging, event monitoring, privilege management, and so on. It also encourages developers and operators to share vulnerability concerns early in order to avoid issues farther down the line. While DevSecOps won’t prevent user-induced vulnerabilities, such as access via phishing scams, it leads to more robust code and products.
DevSecOps relies on several security testing methods across the entire development lifecycle, including:
White box testing such as SAST (static application security testing), which takes an internal view of code vulnerabilities
Black box testing such as DAST (dynamic application security testing), which looks at vulnerabilities from the perspective of a potential attacker
Combination methods such as IAST (integrated application security testing), which uses agents and sensors for continuous vulnerability analysis
Runtime testing methods such as RASP (runtime application self-protection), which allow production-level vulnerability analysis
Each type of testing has unique benefits and applies at specific points in the development lifecycle.
Together, DevOps and DevSecOps create a development environment that values short development cycles, automation of repeatable processes, effective version control, and rapid deployment.
Conclusion
Today’s complex multi-cloud environments can be challenging for application developers. But by encouraging cooperation between development, operations, and security in DevOps and DevSecOps teams, developers can shorten delivery times, improve product reliability and provide a better user experience. With happier customers and better-functioning internal teams, what’s not to like?