What is DevSecOps? Definition & Best Practices
DevSecOps blends development, security and operations groups into one larger team designed to create secure applications in an agile manner. With DevSecOps, security is a shared responsibility across the three groups and builds security into every stage of the software development and deployment lifecycle.
Why Should You Care About DevSecOps? The NIST Answer
With DevSecOps, security practices are built into software development from the very start. According to NIST, DevSecOps benefits include:
- “Reduces vulnerabilities, malicious code, and other security issues in released software without slowing down code production and releases
- Mitigates the potential impact of vulnerability exploitation throughout the application lifecycle, including when the code is being developed and when the software is executing on dynamic hosting platforms
- Addresses the root causes of vulnerabilities to prevent recurrences, such as strengthening test tools and methodologies in the toolchain, and improving practices for developing code and operating hosting platforms
- Reduces friction between the development, operation, and security teams in order to maintain the speed and agility needed to support the organization’s mission while taking advantage of modern and innovative technology”
What’s the Difference Between DevOps and DevSecOps?
DevOps combines development and operations to develop and deliver software faster and safer and represents a cultural and technological change. “DevOps is about building high-velocity organizations. Everyone who practices DevOps is doing it to create these types of companies. DevOps is born from the experiences of its practitioners. Although many people assume that the original DevOps practitioners were web innovators, that’s not necessarily true. What does matter is that DevOps practitioners are always honing their skills and looking for ways to improve,” argued the Embrace DevOps eBook.
DevSecOps takes this notion a step further by bringing security professionals fully into the software development process.
DevSecOps Real World Benefits
NIST explained earlier the basic benefits of DevSecOps. An IDG Security Compliance Survey actually quantified the benefits for enterprises, finding that adopting DevSecOps practices and methods (backed by automated software testing tools) reduce or eliminate the security threats that come from unpatched systems and faulty code.
The need for security throughout the entire dev lifecycle has smart shops putting DevSecOps on the front burner. “With cyberattacks escalating dramatically, the risks and consequences associated with flawed code and faulty infrastructure configurations have grown severe. This new reality has sparked intense interest in adding security and compliance testing throughout the software development lifecycle (SDLC). This an enhanced and extended approach to the SDLC—known as DevSecOps—has already been embraced by many organizations, at least conceptually. In practice, some companies are merely adding a bit more security testing into the process, rather than fully integrating security teams and practices from the initial application planning through to the deployment and operational stages. More fundamentally, some companies continue to harbor strong doubts about the DevSecOps model, believing that inserting security and compliance testing into the SDLC process will slow software delivery, increase costs, and introduce other burdens,” the IDG report argued.
Taking DevSecOps baby steps only provides small rewards. “To be effective, security defenses must be designed, applied, tested, and validated at multiple levels. The process starts with the code that makes up each application, and ultimately extends to infrastructure configurations, application interdependencies, and the security policies that companies institute.”
Meanwhile, Insight Avenue, a United Kingdom-based research firm, conducted 606 interviews with IT/Security/App Dev and DevOps pros and found:
- "17% of organizations still considered themselves at an exploratory and proof-of-concept stage in respect to DevSecOps
- 71% agreed that culture was the biggest barrier to DevSecOps progress
- 30% felt confident in the level of collaboration between security and development
- 76% recognized they could be more strategic in how they manage DevSecOps
- 86% experienced challenges in current approaches to security"
Security is not the only DevSecOps impetus. “Unsurprisingly, the top business factor driving the adoption of DevSecOps was a focus on business agility via fast and frequent delivery of application capabilities (59%). The top technology factor driving adoption was to better manage cybersecurity threats and issues (57%),” Insight found in its DevSecOps: Simplifying Complexity in a Changing World report.
The DevSecOps Language Barrier
While it sounds great in theory to integrate dev, security and operations into one all-star software team, it is not so simple. Each group has its own culture and even language.
But language is what can actually bring these teams together. “The software code itself, along with codified infrastructure configurations, can serve as a common source of truth shared and understood by all the participants who play a role in the SDLC. Furthermore, automated tools can greatly aid the DevSecOps process. For example, some tools can test code for known vulnerabilities, exploits, and misconfigurations—and automatically remediate any identified flaws. Automated tools can also leverage metadata to “understand” compliance requirements and ensure those requirements are being met throughout the SDLC. By leveraging metadata, the tools can validate system security while also providing data that both informs and speeds time-consuming security audits,” IDG argued.
Here are more specifics from the IDG report:
- 59% of those surveyed said building security into the software development lifecycle is vital for their enterprise’s success.
- Almost 9 out of 10 DevSecOps adopters said that adding security actually sped up, or at the least has no negative impact on software delivery.
- 60% of organizations polled said DevSecOps reduces breach risks.
The US Department of Defense (DoD) is not just an excellent advisor on all things security, it also takes its own advice and is a staunch DevSecOps proponent. “DevSecOps describes an organization’s cultural and technical practices, aligning them in such a way to enable the organization to reduce the gaps between a software developer team, a security team, and an operations team. Adoption improves processes through daily collaboration, agile workflows, and a continuous series of feedback loops,” the Department of Defense (DoD) Enterprise DevSecOps StrategyGuide.
According to the DoD, DevSecOps benefits include:
- "Reduced meantime to production: Reduces the average time it takes from when new software features are required until they are running in production.
- Increased deployment frequency: Increases how often a new release can be deployed into the production environment.
- Decreased mean time to recovery: Decreases the average time it takes to identify and resolve an issue after a production deployment.
- Decreased change-fail rate: Decreases the probability that a new feature delivered in production will result in a failure in operations.
- Fully automated risk management: Well defined control gates perform risk characterization, monitoring, and mitigation as artifacts are released and promoted through every step, from ideation to production.
- Baked-in Cybersecurity: Software updates and patches delivered at the speed of relevance."
DevSecOps Approach and Best Practices: Everything as Code
It is one thing to want development, security and operations teams to work together. It is another to give them the tools to make it happen. “DevSecOps automation entails a close collaboration between Development, Security, and Operations to integrate best practices into the software delivery process, including embedding automated security and compliance testing in the software development lifecycle (SDLC),” the Chef DevSecOps page explained. “One barrier to collaboration among operations, development and security across the SDLC is that these professionals all have their own language and corporate culture. Fortunately, Code serves as a common source of truth, shared as a common language among the teams and can be used to codify infrastructure configuration, security and compliance.”
With a code approach to infrastructure and development, everything can be defined as code: infrastructure, application dependencies and application dependencies. This common DevSecOps language can be used by all constituencies, scaled, shared and of course automated.
The cloud is increasingly where the apps are and DeSecOps lost no time following them there. According to the Insight Avenue report:
- 89% of new DevSecOps projects are cloud-based.
- 88% of those polled said that DevSecOps is closely related to the cloud.
- 73% believe DevSecOps roles are growing into CloudOps to better support cloud-native initiatives.
DevSecOps tools such as Chef Cloud Security now allow IT, security and operations pros to monitor, scan and remediate configuration issues in cloud native, multi-cloud and on-premises environments.
“Chef Cloud Security audits your cloud accounts for security risks and misconfigurations across hundreds of configuration settings and enables consistent, unified multi-cloud security,’ the Chef Cloud Security page explained. “Chef Cloud Security can help you scan systems across all environments (Dev, Pre-Prod, Prod), all systems (Cloud, Kubernetes, VMs, Containers, Windows, Linux), and all clouds (Amazon Web Services, Azure, Google, Alibaba, and many others).”
DevSecOps Best Practices
Here are nine best practices to follow:
- Go Agile
- Adopt CI/CD
- Get executive buy in
- Develop a road map
- Go cloud-first
- Automate everything
- Use code as a common language amongst teams
- Monitor infrastructure
- Adopt security and compliance practices throughout the entire SDLC
DevSecOps is a way of working and is not itself a framework. However, Carnegie Mellon developed a DevSecOps framework, which it describes in its Framework for DevSecOps: Evolution and Achieving Continuous Integration/Continuous Delivery (CI/CD) Capabilities whitepaper. This framework focuses largely on perfecting CI/CD through DevSecOps approaches and agile methodologies.
“This framework builds on well-established applications of DevSecOps principles and provides additional guidance for applying DevSecOps principles to infrastructure operations in an on-premises computing environment by providing an ordered approach toward implementing critical practices in the stages of adoption, implementation, improvement, and maintenance of that environment. The framework also focuses on the leverage of automation throughout the process,” the whitepaper argued.
In addition to CI/CD and Agile, Carnegie Mellon believes a structured roadmap is also critical. “When defining and establishing a vision for the environment, designers should consider the ideal state of the development environment from the perspective of all stakeholders, including software architects, developers, system administrators, test and quality-assurance engineers, security officials, management, and end users,” the university contends.
Below is an example of a CI/CD pipeline:
Carnegie Mellon CI/CD pipeline
DevSecOps should be part of all eight stages of the software development lifecycle, including:
- Test, and
For optimum DevSecOps results, the best advice is to automate everything you possibly can. This includes actions, approvals, business processes, decisions and documentation. Automated testing is critical for validating software design, the behavior of public interfaces and to conduct security and functional tests.
Agile is an absolute DevSecOps requirement. “Agile project management and software development is an iterative strategy that helps teams provide value to clients faster and with fewer difficulties. An agile team provides work in tiny, digestible increments rather than relying on a “big bang” launch. Teams have a natural mechanism for adapting to change rapidly since requirements, strategies, and outcomes are assessed on a regular basis. Both place a strong emphasis on cross-functional collaboration to break down information silos. They both emphasize fast feedback and continuous improvement,” argued IT training and consultancy i4 Group in its What is the Relationship Between Agile and DevSecOps blog. “You can implement agile without using DevSecOps, but you cannot implement DevSecOps without an agile mindset.”
Amazon Web Services (AWS) is a remarkable platform that developers are flocking to. It can be made even better for DevSecOps pros with the help of Chef Automate. “Chef’s Continuous Automation solution is tightly integrated with Amazon Web Services (AWS). If you’re using AWS now, Chef gives you a single, unified way to automate AWS services and resources. If you’re thinking of using AWS, Chef will help you migrate your workloads at your own pace, and with complete control. Together with AWS, Chef helps customers tackle risk and compliance barriers blocking cloud migration,” the Chef AWS page explained.
Like AWS, Microsoft Azure is a go-to enterprise development and deployment platform. And like AWS, Azure is made better with Chef, helping DevSecOps teams continuously automate the building, deploying and managing applications and apps infrastructure that run on Microsoft Azure.
“Companies require speed, velocity, and safety to compete in the digital marketplace. Together Chef and Microsoft help individuals, teams, and enterprises accomplish all of these things. With one platform, Chef Automate, you can now automate and continuously deliver your infrastructure, applications, and even compliance across your Microsoft estate,” the Chef Azure page explained.
Microsoft is a big Chef supporter. “The nice thing about Chef technology for customers is they can apply a standardized automation both in Azure, on anything that they’re migrating or net new deployments. But they can also apply the same toolset, processes, and methodology to their existing investments… to have consistency in terms of how they manage disparate environments,” said Ken Thompson, Azure Product Marketing Manager, Microsoft.
Security and compliance go hand in hand. Where it differs is that compliance are specific rules that generally relate to security and privacy.
While DevSecOps excels at security, it is just as good for compliance. With DevSecOps, your team can find and correct compliance issues across your on-premises and cloud infrastructure. This includes testing the entire enterprise infrastructure for compliance with both corporate and regulatory policies.
At the same time, you can quickly achieve and maintain visibility into your infrastructure compliance status. DevSecOps shops have a consolidated view of compliance status which supports on-demand auditing. Finally, you can automate your security compliance measures and ensure the delivery of compliant and secure software.
Here are two other benefits:
- Ensure continuous security Automated compliance and security provide up-to-date status reports and dashboards, and by finding and correcting issues, delivers software that is compliant by design.
- Increase development velocity and reduce compliance risks By building compliance into the full SDLC process, you can make rapid changes, such as those called for by Agile, without creating new security holes.
How Chef DevSecOps Solutions Stand Out
As a founder of the DevOps movement, Chef Software boasts a broad portfolio of solutions that automate infrastructure configuration, compliance, security and application delivery. Taken together, this brings full, continuous automation to the entire software development lifecycle (SDLC).
Chef Enterprise Automation Stack, our flagship solution, includes Chef InSpec and Chef Infra that detect and correct for security and compliance at all SDLC stages. Moreover, this stack automates configurations, guaranteeing your infrastructure stays consistent, secure and compliant throughout its lifetime, no matter how large scale, heterogenous and complex the environment.
Chef solutions include pre-built content to enable compliance to industry standard security benchmarks such as CIS (Center for Internet Security) and DISA STIGs, and are customizable to any enterprise-level compliance standards. Chef’s “everything as code” approach speeds software delivery, improves adherence to security and compliance standards and significantly reduces time spent on audit and remediation activities. For further information about how Chef Software’s solutions and services can help your organization produce secure and compliant code and infrastructure, delivering on the full promise of DevSecOps, go to www.chef.io/solutions/devsecops/.
DevSecOps Success Story: Discount Tire
Discount Tire was focused on evolving its IT infrastructure in a way that would allow it to easily consume new technologies to better serve its customers. This started with migrating its website to AWS, which meant a move from Satellite to a platform that would allow the team to easily consolidate management of its on-prem instances and its AWS configuration policies, while automating its patching process and accelerating application delivery.
Migrated from Satellite onto Chef to manage on-prem instances and AWS configuration policies, while automating patching and accelerating application delivery.
- Took a Policy as Code approach, building out cookbooks and configurations in Chef to ensure best practice consistency in the infrastructure management and application delivery process.
- Set up the Chef client to run every 30 minutes, providing continuously updated compliance data.
- Standardized on CIS benchmarks via a tagging procedure that allows new servers to be added without the need for custom profiles.
- Reduced operational complexity by being able to build and deploy applications on a technology agnostic platform.
- Accelerated the rate at which new technologies can be delivered and consumed, resulting in a better end-user experience for Discount Tire customers.
Watch On-Demand - Making DevSecOps an Automated Reality
Learn how Chef is Making DevSecOps an Automated Reality with Policy as CodeWatch Now
Watch On-Demand - Zero Trust and DevOps
Automate security across all your cloud, on-premises, and distributed endpointsWatch Now