DevSecOps – short for development, security and operations – combines separate traditional development, security and operations functions to increase the security of applications and digital services.
As the name implies, DevSecOps aims to integrate security testing into “agile IT and DevOps development as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility or speed of developers or requiring them to leave their development toolchain environment,” says market researcher Gartner.
How Does DevSecOps Work?
DevSecOps is based on core DevOps principles such as automation, and continuous and iterative improvements, as well as giving developers primary responsibility for security rather than leaving that function to a dedicated security team after applications have gone into production.
In DevSecOps, the “you code it, you own it” philosophy extends beyond code development to security monitoring and incident response, with any business impacts of security breaches reported to the developer, according to Gartner.
DevSecOps allows developers to continuously check their code for security issues as they create it and to fix problems immediately. Security feedback can be provided through traditional ticketing systems or the developer’s integrated development environment (IDE), says Dale Gardner, a senior research director at Gartner. Some tools that allow developers to receive and act on security issues in their IDE can, he says, “point to specific lines of code … and say, ‘The problem is here … like we found SQL injection in your code; here’s why it’s a bad thing and how you should go about fixing it.’”
In its research reports, Gartner recommends extending scans for known vulnerabilities and misconfigurations to not only custom code, but the open-source and third-party components that often make up the bulk of modern applications. It also recommends scanning and monitoring all “infrastructure as code” (such as automation scripts, templates, images and blueprints that determine the configuration of the IT infrastructure) for vulnerabilities. And it recommends controls to assure the correct version of a script is being used and that platform control and configuration scripts don’t contain secrets such as credentials.
Application programming interfaces (APIs) through which many cloud-native applications communicate are a growing area of interest for DevSecOps practitioners, says Gardner, with Gartner’s surveys showing the percentage of organizations testing APIs for security vulnerabilities rising from the single digits to around 30% in the last few years.
Gartner recommends threat modeling as an essential step in DevSecOps to set policies covering what level of risk the organization is comfortable with, allowing developers and security staff to de-emphasize those vulnerabilities that are unlikely to be exploited or applications that are less critical to the business.
In a DevSecOps environment, Gartner recommends all scans be fully automated using APIs triggered by the developer’s continuous integration/continuous deployment (CI/CD) toolchain and events such as committing code to a new environment or posting it for review by others.
Among the DevSecOps practices Gartner recommends are that infrastructure updates such as security patches and configuration changes be made by developers and deployed by automated tools, and that libraries, components and OS images used to create production images be kept in secure repositories.
What Are the Benefits of DevSecOps?
DevSecOps has the potential to reduce cybersecurity risks to the enterprise, its brands, its data and its customers more completely, more quickly and at lower cost than by performing security checks only after code has been released into production.
“If I can have the developers fix something right away, it’s cheaper and easier than waiting hours and days [to fix] something,” says Gardner. Along with tangible benefits such as reduced deployment time and effort, there are intangible business benefits such as delivering more features to the market more quickly as well as avoiding the reputational or regulatory costs of a security breach.
What Are the Drawbacks to DevSecOps?
DevSecOps requires changes in the roles performed by, and the skills required of, both developers and security teams. This can require retraining, changes to workflows and increased collaboration between developers who were traditionally focused on speeding great apps to market and security teams that traditionally prioritize security.
Gartner recommends training developers in at least the basics of secure coding and common application vulnerabilities. This includes foundational security hygiene; secure configuration of applications, operating systems and container environments; and how to correctly use the enterprise’s systems for managing secrets such as passwords. Security professionals should be trained in newer “cloud-native” development and deployment technologies, which can require cost and effort.
The use of internal secure code repositories also “requires an ongoing commitment between development architects and information security to keep it up to date, and a process for developers to request new frameworks and libraries,” says Gartner.
Futile attempts to create zero-vulnerability applications can slow developers down, causing them to waste time chasing false positives or addressing vulnerabilities that pose lower risk because they are not directly or easily exploitable, says Gartner. Instead, it recommends focusing developers and testers on the most critical security issues identified through threat modeling.
For new applications, Gartner recommends having simple, automated security requirements using a threat modeling tool. For existing applications, it suggests an incremental approach to threat modeling, focused on major changes to applications.
Among the new technologies that may be required is strong version control to ensure that only code that has been properly scanned for flaws is put into production, as well as to determine where insecure code has been used so it can be remediated. DevSecOps may also require new capabilities to identify and verify the security of the APIs used to connect web applications.
Another challenge, says Gardner, is getting application security professionals to change their mindset from serving as a security “guardian” at the end of the development process to advising developers throughout the process on how to improve application security.
Examples of DevSecOps Tools
Gardner separates DevSecOps tools into three categories: threat modeling, traditional testing tools used in DevSecOps, and observability and monitoring.
Threat modeling: DevSecOps tools that automate this formerly work-intensive task include SD Elements from Security Compass, ThreatModeler (from the company of the same name), the IriusRisk Threat Modeling Platform, as well as various open-source tools.
Traditional testing tools: Traditional testing tools used in DevSecOps include Checkmarx, a leader in Gartner’s 2021 Magic Quadrant for Application Security Testing, which says Checkmarx’s graphical presentation of control and data paths across microservice environments “helps developers better understand where best to focus remediation efforts.” Another is Synopsys, whose recently added microservices analysis provides a visual interface that can help identify potentially unsafe data flow issues, says Gartner, while its new Intelligent Orchestration solution integrates into continuous integration/continuous delivery pipelines.
Forrester Research praised the integration capabilities of Micro Focus Fortify that “support the developer toolchain,” as well as the ability to accept scanning data from third-party tools.
Observability and monitoring: In the monitoring and observability space, Gardner cited the Dynatrace Software Intelligence Platform, which Dynatrace claims can discover new code deployed into production and scan it for known vulnerabilities. Bionic claims to continuously discover and analyze applications, services, APIs, data flows and dependencies; provide alerts on architecture drift and policy violations; and provide “a feedback loop to engineering teams so architectures comply with standards.”
Contrast Security claims such as observability capabilities as automatically identifying, diagnosing and verifying the remediation of vulnerabilities in applications and APIs, and providing “a comprehensive view of all open-source components and their dependencies.”
Conclusion
DevSecOps can require extensive changes in how organizations think about, organize and staff for software development, security and operations. It requires an integrated, continuous and iterative approach to security that gives broader security responsibilities to developers, and new tools to provide the needed visibility and tracking of custom and open source code.
The benefits, though, are the ability to respond nimbly to new business challenges while protecting customers, business partners or the brand from ongoing cyberthreats.
