DevSecOps
What is it and how is it helping ADM in WFH era?
The office setting and looks of most of the organizations from pre-covid19 era, has been greatly challenged of ever coming back to normal. Working from home is now the new norm and while at the moment it is done to abide with regional laws and at the same time facilitate business processes, greater benefits have been derived from this new setting and well, remote working is here to stay.
Among those working from home are developers and operations engineers responsible for developing applications, maintaining them and providing new features to those application now and then that other organization users use to interact with resources in the cloud, collaborate and manage their work.
As such, application security is of paramount significance. DevSecOps borrows all other characteristics of DevOps but adds the security aspect. DevOps, unlike the traditional monolithic Software Development Life Cycle (SDLC), is a term that defines the process of developing new application features continually and much faster with the highest quality. However, since the inception of the Internet, security has always been a retrofit feature and that was still the case in early 2010s when the DevOps technique came around. In recent years, application development with security at the core from the early stages of requirement gathering has been added. This is what the DevSecOps is.
Before I jump on to why DevSecOps is so important. Let's look at what are the baby steps organizations need to know where they stand. It is important for an organization to first assess and identify the existing DevOps maturity level. The maturity levels as we see it, can be defined as:
Basic
Emerging
Coordinated
Enhanced
Top Level
At Capgemini, usually we perform a DevOps maturity assessment based on 6 dimensions. Based on the DevOps maturity rating, we recommend a strategic DevSecOps adoption path to adopt and implement Capgemini's DevSecOps Acceleration Platform.
This is a DevSecOps tech-stack example, that can be part of DevOps Pipeline:
Overall DevSecOps orchestration – Jenkins
Code – Git, Bitbucket
Code Quality – Sonar
Unit testing – Junit, Mockito
SAST - Yasca
Build - Maven, NPM, Visual Studio
Artifactory – Nexus, JFrog
Environment Configuration - CHEF
Deployment - AWS, OHS, Weblogic
Containerization - Docker
Container Security - Docker Secure Registry
Container Orchestration - Kubernetes
Functional testing - Selenium
DAST, IAST – Checkmarx, Veracode*
Monitoring – Grafana
IaC - Terraform
Today, DevSecOps has completely replaced DevOps. But what is the importance of DevSecOps over DevOps in a remote office setting?
DevSecOps increases threat visibility which makes it possible to account for many threat since the early stages of application development. Since DevSecOps unites the development and operation teams, security is made a joint consideration rather than having one team responsible for security where operations are only able to identify post-development threats and developers can only tell development security threats.
DevSecOps has significantly reduced the time it takes to develop applications. Earlier, while fitting security features after application development, existing code was adversely changed and as such some pertinent features lost. This required project completion timeframes to be pushed. If these fixes were made a lot earlier, emerging problems would be fixed a lot earlier and tested. If new features are needed, you will be able to provide them. Similarly, if some bugs are found, you will be able to fix them without needing to change a lot of code. It also makes sure that clients are able to provide feedback after each iteration ensuring that the project continues as expected. This will help in achieving intended benefits of DevSecOps model adoption at your clients ADM setup.
Many organizations have moved to the cloud and many more are expected to do as well because, well, the advantages the cloud provides are not debatable. The only problem with cloud providers is that they only ensure cloud security but not within each of the client’s clouds. By deploying DevSecOps to build cloud native applications, organizations are able to fix and prevent security bugs within their own clouds enabling them to reach near-perfect security.
Well, with the proliferation of security tools and investments by organizations one would think it would be easier. Reports out there are suggesting that Covid19 has made businesses focus more on cyber security but so far from start of the pandemic, besides all the bad news around us, we are talking about the Solar Winds attack, the Accellion breach, the Microsoft Exchange breach, SITA breach and a ransomware uprising. Where is the digital security topic? Especially, the security of the data, applications development and maintenance (ADM) activities being carried out while working from home (WFH).
WFH is now the new norm at least for will stay for some more time and while at the moment it is done to abide with regional laws and at the same time facilitate business processes, greater benefits have been derived from this new setting and well, remote working is here to stay. Among those WFH are developers responsible for developing applications and providing new features to those application now and then that other organization users use to interact with resources in the cloud, collaborate and manage their work.
As such, application security is of paramount significance. DevSecOps borrows all other characteristics of DevOps but adds a security aspect from the ground up. Today, DevSecOps has completely replaced DevOps. But why DevSecOps?
DevSecOps is a group of automated levers, dev platforms, tools, services and standards to enable developers and operations team to develop, secure, deploy and operate applications in a secure, collaborative, flexible and interoperable way.
DevSecOps increases threat visibility which makes it possible to account for many threat since the early stages of application development. Since DevSecOps unites the development and operation teams, security is made a joint consideration rather than having one team responsible for security where operations are only able to identify post-development threats and developers can only tell development security threats.
DevSecOps has significantly reduced the time it takes to develop applications. Earlier, while fitting security features after application development, existing code was adversely changed and as such some pertinent features lost. This required project completion timeframes to be pushed. If these fixes were made a lot earlier, emerging problems would be fixed a lot earlier and tested.
DevSecOps also benefits your clients. This is because if new features are needed, you will be able to provide them. Similarly, if some bugs are found, you will be able to fix them without needing to change a lot of code. It also makes sure that clients are able to provide feedback after each iteration ensuring that the project continues as expected.
Many organizations have moved to the cloud and many more are expected to do as well because, well, the advantages the cloud provides are not debatable. The only problem with cloud providers is that they only ensure cloud security but not within each of the client’s clouds. By deploying DevSecOps to build cloud native applications, organizations are able to fix and prevent security bugs within their own clouds enabling them to reach near-perfect security.
At the end, following are the few suggestion for people WFH, whether it's on DevSecOps / DevOps environment or any other official work being done through digital devices.
Regularly visit the privacy and security policies of your employer as well as of the the client if you working on a client's project.
Screen security - be vigilant not only to keep your work environment secure during casual get-together with friend, but also make sure not to keep your laptop / monitor very near to clear windows specially when your home is on busy street or window is too close to your neighbor's window.
Turn-off your laptop and computer when not in use.
Avoid the work relate talks in home, with friends and relatives.
Avoid using work equipment for personal communication, personal video conferencing and emailing.
Avoid using common hotspots or multi-shared routers (shared with neighbors).
Be vigilant of phishing email and phone calls.
Inform your family members about steps they need to take for physical security of the official assets in your absence.