DevSecOps has matured from a radical new approach to the cornerstone of practical application security. Integrating security checks and practices into DevOps processes has proved to be a necessity to keep up with rapid development. Modern security testing tools have also matured to where they can be embedded into agile workflows without hindering dev work.
DevSecOps is a software development approach that aims to integrate security practices into DevOps processes. Implementing DevSecOps efficiently requires organizations to make security an integral part of software quality by using automated security tools in their CI/CD pipeline. Crucially, the DevSecOps approach to software development offers a way to embed application security into the entire development and operations process. With the right security tools built into the DevOps pipeline, you can make security an integral part of the software delivery processes and address security risks as early as possible.
Changing the place and role of security in application development
Evolution is the key concept when looking at DevSecOps. The growing pace and business importance of software development first forced a rethink of traditional waterfall methodologies, leading to the widespread adoption of DevOps as a far more efficient way to build more software faster. The downside of this leap forward was that security processes were still isolated from the main software development process, resulting in security often being an afterthought—even as the world increasingly came to rely on web applications where security threats are far more numerous than for desktop software.
The logical next step was to also bring security into DevOps. Unlike QA testing, security testing was traditionally seen as completely external to development and not easily automated, so attempts at DevSecOps only became possible once the right security tools were available. At the same time, applications were becoming more complex and distributed, commonly using service-based architectures with microservices communicating via APIs. To build new business functionality at the required speed, developers came to rely extensively on third-party application frameworks and open-source components, so securing your own code could no longer guarantee that your whole app was secure.
To build secure software while keeping up with business requirements, organizations needed the right combination of tools and cultural changes to make security a part of software quality—but also to tie DevOps into the wider cybersecurity process in the organization.
Adding security to DevOps needs more than a new acronym
With DevOps in place, smaller teams are expected to deliver results faster and at a lower cost, making automation a necessity, not a luxury. New features can be added to operational production software at any time, potentially many times a day, so development and IT operations can no longer work in isolation. The DevOps approach takes the principles of agile programming and applies them to the entire development and operations pipeline. Instead of a slow progression from initial requirements to a finished product release, the development process uses continuous integration and continuous delivery (CI/CD) pipelines in a continuous and highly automated loop of modification, verification, and release.
Instead of technology silos for each isolated phase, development and operations tools and processes are now tightly integrated and interrelated. If security testing is to operate in this automated workflow, it, too, must leave its silo and integrate deeply into the SDLC so that security flaws are found and remediated without slowing down releases. In other words, bolting security onto DevOps is not DevSecOps.
What makes DevSecOps different from DevOps
While better suited to rapid release cycles than more traditional methodologies, DevOps still does not integrate security into its processes, and security teams continue to work separately from developers. Security vulnerabilities are handled differently from other issues, and development teams often treat them as someone else’s problem, leaving security to the “security people.” Apart from the security implications, this limits the agility of DevOps processes because security issues are discovered and fixed manually, interfering with the automated flow of development and operations.
DevSecOps practices aim to incorporate security throughout the DevOps workflow. DevOps teams need to make some crucial cultural and technical changes to become DevSecOps teams:
- Devs, operations teams, and security teams must work together and take shared responsibility for any security flaws in the project.
- DevOps relies heavily on process automation, so security checks and related tickets must also be automated to maintain efficiency.
- Security issues must be found and collaboratively remediated (by patching or otherwise) as early as possible to avoid delays and rework further downstream.
- Visibility into the DevOps process also needs to incorporate security, including organizational security measures.
Picking DevSecOps tools that work
Effective DevSecOps requires security tools that can be integrated with the software development life cycle for automated web application security testing in a continuous process. While many automated security testing tools can be used, SAST and DAST are the most common choices:
- Static application security testing (SAST): Software security starts with secure code, so static source code analysis tools continue to be used in the development pipeline. While they can pinpoint issues in the code and are a natural fit for automated dev toolchains, static analysis tools are known to deliver a lot of false positives. They are also limited in scope to the available source code, so they cannot test external dependencies or APIs. Being static, they won’t find runtime issues such as misconfigurations, so they are limited to early development phases.
- Dynamic application security testing (DAST): Dynamic analysis tools probe a running application from the outside to provide a wider view of application security. Unlike simpler web application security scanners, modern enterprise-grade DAST tools can be used at multiple stages of the SDLC. When integrated into a CI/CD pipeline, DAST can check for a wide range of vulnerabilities, including some that wouldn’t show up in static testing, like misconfigurations, inadequate security controls, and other runtime issues. Advanced tools can even show which issues are exploitable, greatly speeding up triaging and remediation while minimizing false alarms.
But as important as it is to have the right tools for the job, DevSecOps is about culture as much as it is about technology. Developers, operations staff, and security experts all need to work together with the common goal of delivering functional and secure software on schedule. This includes developers being more aware of security considerations such as secure design and threat modeling but also security staff being familiar with the development process—and the right tech can streamline their work and eliminate friction.
How Invicti supports DevSecOps
Invicti Enterprise is an industry-leading DAST solution designed with scalable automation in mind. When integrated into the software development lifecycle, it helps organizations implement DevSecOps approaches by providing a single vulnerability testing and management platform that covers both development and operations. Issue tracker integrations and best-in-class accuracy enable process automation in existing development workflows. With efficient and accurate testing, you can ensure a secure development lifecycle and seamless collaboration between teams to maximize the benefits of DevSecOps.
The same Invicti DAST can also do double duty for scheduled external vulnerability scanning in a continuous process. Combined with web asset discovery and proactive prioritization with Predictive Risk Scoring, Invicti’s approach to security scanning is as close as you can get to having a real-time view of your application security risk.