I think most of you probably know what DevOps is is by now and what is Software Development Life Cycle (SDLC), and Agile method. I will brief you what DevSecOps is and what the activity involved. Still, for now, I will explain how DevSecOps come into DevOps CI/CD pipeline and why many organization now practicing “Shift Left” method in their CI/CD pipeline.
Software Development Life Cycle (SDLC)
TL;DR: The traditional SDLC and usually refer as a Waterfall approach involve several processes before a software/application can be deployed into a production environment. Below is processes involved in a Traditional SDLC;
1. Project start with Requirement phase, we gather all the requirement from client/business units. This also we call it Project Kick-Off phase.
2. We move to Design phase which we design the software we gathered in Requirement phase.
3. Once Design done, and upon client agreement, we implement the software.
We Deploy once it we Implement and test all the functionality and code of the software.
4. Once it Deploy in Production, we maintain it
5. Once all cycle completed, the Dev team move to another projects.
Usually, these phase taking up to months or years to complete. Below are the disadvantages or issue facing by Waterfall approach:
- Often time Business Requirement changes and the Dev team need to re-do all again.
- Give a lot of uncertainty and confusion to the Dev/Both teams.
- The small changes can lead to a lot of time to delivery/complete a feature/project.
- End of the day, it can contribute to over-budget, the project behind schedule and worst the project failed to deliver to the client/deploy to Production.
Due to Waterfall approach facing issues above, we now introduced with Agile method, an Agile methodology is a approaches development requirements and solutions through the collaborative effort of self-organizing and cross-functional teams and their customer/end-user. Below is brief the advantages and disadvantages of an Agile approach:
With Agile also we still facing issue in software Delivery and Software Deployment, Agile introduced “Wall of Confusion” ;
- IT Ops team facing problem after Agile
- They confuse and not align with the Dev anymore.
- Agility and Speed did not match their rational nature anymore.
- No collaboration creates more confusion between the teams.
With that, DevOps introduced and solved confusion between Dev team and IT Operation (OPS) team. In a nutshell, DevOps are;
In simple word, DevOps is the new way of working to produce Software from Development to Production environment. Below all processes involved in DevOps;
But with Speed and Agility in delivery software into Production, DevOps tend to forget about security and compliance aspect, DevOps also introduced “new wall”, which is Wall of Compliance.”
Since they do not bring Application/Information Security team into the DevOps team at the beginning of the process/cycle; hence software introduced or deployed into Production might consist of vulnerability introduced along with them in CI/CD process without they noticed. Below is several compliance issue with DevOps;
- It’s no longer feasible for security teams to ask the developer or ops team to wait till you finish pen-testing, code review or any activities before it goes to Production. Because you are slowing, they down, not an Agile approach.
- The Security team hardly to explain why they are blocking the pipeline and often time used word Compliance as “Triumph Card.”
- That’s why many DevOps team have a love-hate relationship with the Security team.
- Security is outnumbered in DevOps team.
Finally, DevSecOps is introduced to resolve above issues in DevOps's CI/CD pipeline.
How DevSecOps works and what it's benefit?
It involves injecting security practices into an organization’s DevOps pipeline.
- The goal is to incorporate security into all stages of the software development workflow.
- That’s contradictory to its predecessor development models—DevSecOps means you’re not saving security for the final stages of the SDLC.
- If your company already does DevOps, then it’s a good idea to consider shifting toward DevSecOps.
- At its core, DevSecOps is based on the principle of DevOps, which will help your case for making the switch.
Core value of DevSecOps also similar to DevOps which the following below:
Culture: DevOps is about breaking down barriers between teams. If the organization doesn't work on culture, then the other DevSecOps practice will be fail.
Automation: It is often mistaken as DevOps but it's just part of DevOps, not complete initiative.
Measurement: It involve in CI/CD helps in making informed decisions among the teams.
Sharing: Sharing tools , best practices, etc among the teams/organization, improve confidence for effective collaboration.
Above also known as DevOps CAMS
How we can scope in Security Practices effectively with DevOps CI/CD Pipeline ?
A strategic and technological transition to a DevSecOps strategy enables organizations to cope more efficiently, in real time, with security risks. Security teams must be seen as a valuable asset that helps not impede agility but prevent slowdowns. Fast identification of an unscaleable program in the cloud, for example, saves precious energy, money and device costs.
How to start implement DevSecOps?
Six key components of the DevSecOps approach are present:
- Code analysis – providing code in small chunks to quickly identify vulnerabilities.
- Change management – – pace and productivity improve by encouraging everyone to make improvements and then decide if the update is positive or adverse.
- Compliance monitoring – be ready for an audit at any time.
- Threat investigation – identify potential emerging threats with each code update and be able to respond quickly.
- Vulnerability assessment – identify new vulnerabilities with code analysis, then analyze how quickly they are being responded to and patched.
- Security training – train software and IT engineers with guidelines for set routines.
If you haven’t already begun the process, the time is now to merge your security goals with DevOps and implement ‘Security as Code’ DevSecOps best practices.