A Practical Guide to Make DevSecOps an Automated Reality

DevSecOps accelerates the pace of digital transformation. In practice, DevSecOps is meant to be a collaboration between development, security, and operations; it aims to automate the integration of security into every phase of the software development lifecycle. 

There are many enterprise benefits for implementing DevSecOps, including the top two: creating trust and reducing risk with cost-effective, quick software delivery, and improved proactive security. DevSecOps reduces costs and saves time by minimizing the need to repeat a process to address security issues after the fact. According to the 2021 State of DevOps Report, an annual report that includes insight from more than 2,500 expert participants around the globe, "teams who integrate security practices throughout their development process are 1.6 times more likely to meet or exceed their organizational goals."  

Why DevSecOps Matter  

Top performers worldwide are using security and compliance to speed up their businesses; organizations that aren't utilizing these practices are experiencing slowdowns and re-works.  

The question is, do you want to be slowed down by security and regulatory requirements? Or do you want to use security and compliance to your advantage against the competition? You can have speedy delivery and reduce risk with DevSecOps.  

 Enabling DevSecOps collaboration helps unify teams throughout the journey instead of building code, configuring changes, and starting deployment, only to be stopped because of compliance or security requirements that weren't communicated, then re-writing code to fix the issues. This not only adds to frustration but prolongs the process. Moving from a siloed organization and enabling collaboration reduces re-works and gets the finished, compliant product to market sooner. The goal is to break down the silos, take the key learnings from DevOps and DevSecOps, and start the conversion about compliance and security needs in parallel and in a single pipeline for building the next release, not at the end of the process.

Chef Makes DevSecOps a Reality 

With Chef, you can turn DevSecOps concepts into reality. As an industry leader, we understand the need to bring security to the table early in the development process. We've built the tools that allow you to get started quickly.

Every organization has policies that govern how they do business, defining security standards, regulatory requirements, and other organizational mandates. Typically, these policies are defined in text – in PDF documents, Word, Excel and wikis – that can't be acted upon. Those policies need to be interpreted by humans before it can be implemented or enforced.

Chef’s approach is to define and document those policies as unambiguous, human-readable code. For compliance and security, we've developed a large library of Chef-curated Premium Content that's CIS or DISA STIG certified to get you started. These pre-made hardening profiles enable organizations deploy configurations and application to known standards right out of the box. 

But the real power of Chef is its extensibility and flexibility. The Chef language encourages collaboration across security, compliance, and DevOps teams by giving them the power to create, modify, and extend codified policy to fit your specific business needs. For example, using waivers allows teams to use customize pre-built InSpec profiles and turn off controls that aren't required by your business.

By defining policy as code, you and your teams can perform tests early and often. Chef has extensive capabilities to support a test-driven development approach to ensure infrastructure and applications are policy-compliant before being promoted into production environments.

Unlike other tools in the market today, Chef has fully integrated infrastructure and compliance policies to streamline the workflow for operators and ensure alignment all the way from the development phase.

This approach drives several business benefits:

  • Codified, documented policies help organizations better document their policies in an unambiguous, sharable, actionable way.
  • By taking advantage of extensive Chef Premium Content and a wide range of community-built content, organizations can achieve faster time-to-value.
  • Chef particularly shines when it comes to customization and the ability to apply waivers, which translates to fewer false positives and less rework required.
  • Test-driven development means faster, more secure delivery.
  • And a single tool means a streamlined workflow and fewer new tools to learn.

Chef Policy-Based DevSecOps Automation Architecture

Including security and compliance early in the process is the responsibility of both developers and ops teams. Together, they need to think beyond infrastructure and change the way they think about end-to-end deployments. Let’s start at the beginning. 

The diagram above highlights how code based on your organization's rules and policies are created and tested at the start of the process. Think of this stage as your efforts to create Chef recipes, compliance profiles and system attributes. Thinking about security considerations at this early stage is the most because it's easy to iterate and make changes. Waiting to the last steps before deployment make it harder for Sec teams to weigh in and results in costly, time-consuming rework.

What is Policy as Code?  

Policy as Code brings configuration management and compliance into a single step, eliminating the security silo and moving everyone into a shared pipeline and a shared framework. With takes advantage of the advantage of cookbooks, local or shared Test-Driven Development, Chef InSpec profiles, and Chef Infra Compliance Phase. Making DevSecOps an automated reality brings together all the critical steps, allowing you to overcome technical skills gaps and scale automation across your teams and environments. This on-demand webinar shows how that works. 

Policy as Code extends Infrastructure as Code by enabling four essential actions:

  1. Collaboration: Code is a common language for Developers, Operations, and Security teams.
  2. Scalability: Code scales across complexity sprawl 
  3. Shift Left: Test throughout the delivery process, bringing security in as early as possible, and allowing developers to test policies directly on their workstations.    
  4. Continuous Visibility: Monitor the steps to reduce or eliminate risk and fire drills.   


Progress Chef Tim Smith describes Chef's approach to Policy as Code to allow for true SecOps collaboration between infrastructure and security teams in a recent webinar.

What are your thoughts about DevSecOps? We would love to hear from you and how you make DevSecOps a reality. Join the Chef Community slack discussion Chef Community slack or one of our live DevRel Streams.   

View webinar on-demand: https://www.chef.io/webinars/making-devsecops-automated-reality

Join Chef Community: https://community.chef.io/slack

Join DevRel Stream: https://community.chef.io/slack

Posted in:

Michelle Sebek

Michelle was a senior product marketing manager for Chef.