Before going into the details of DevSecOps. We need to understand how is it different from DevOps. Lets have a brief introduction for both of them.
What is DevOps?
I know many of you are already familiar with the concept of DevOps. DevOps is a combination of two words, Development as “Dev” and Operations as “Ops”. So, DevOps stand for a set of practices that automates the processes between software development and IT teams, in order that they can build, test, and release software faster and more reliably. It’s a collaboration between development and operations that emphasizes a shift in mindset, better collaboration, and tighter integration.
What is DevSecOps?
Here comes the new concept of DevSecOps. DevSecOps is a combination of three words, Development as “Dev”, Security as “Sec” and Operations as “Ops”. This already gave an idea of what is new in DevSecOps.
Here it goes, DevSecOps is combination of all three Development+Security+Operation. The idea behind this was to integrate “Security with Code” or call it “Security as Code“.
Speeding up development by skipping certain steps meant to identify flaws in untested code or resisting efforts to add security controls to the code before it ships, it exposes itself in ways that would have been unthinkable under traditional development models. The traditional model check security concerns after the development which is time taken and cumbersome. They are not, however, designed to catch major architectural or security flaws. Here in DevSecOps, security is also checked with the process of development.
How is it important in current scenarios?
Security is something that no one wants to compromise with, yet people do not take that seriously until unless there is a need to. That is why the concept of DevSecOps came into picture.
DevSecOps combines traditional DevOps approaches with more integrated and robust approach to security. Integrating security in DevOps comes with many advantages, though some effect in the process can be seen.
DevSecOps gives the benefit of automation and orchestration at the foundation of the development and deployment processes. It comes with the idea that “Everyone is responsible for security”.
Security is taken care at the time of development process so that there would be no security issues afterwards, as in traditional system security is checked after everything is done. That turns out to be cumbersome and vulnerable. With DevSecOps, security is in continuous process with development. The older process model includes security as the last step which used happen once a year. Now, with the advancement in the process of development and deployment, the time has now came down to once a week.
“Security as Code” has the added benefit of being portable, shared, and made better over time because its not a document that gets read once, shelved and forgotten. Instead, Security as Code has the advantage of being a living part of the system that supports business outcomes.
The above picture explains a normal workflow of how security is taken care in the process of DevOps.
Considering the negative side, yes it does comes with some cons. DevSecOps needs to ensure no sensitive material such as encryption keys or credentials are stored in definition files, on systems that are exposed or in code that could be exposed. As encryption and data protection strategies are increasingly automated along with other DevSecOps activities, it’s critical to make sure the proverbial keys are protected at all times. It provides Intuitive Security Measurement, which requires lot of maintenance at the starting phase of the development. The integration of security with code is also a challenging task at the beginning.