The rapid emergence of modern software development initiatives, public cloud services, and cloud-native tools such as Kubernetes and containers has accelerated the seminal move towards DevOps practices.
DevOps has come to reflect a culture that champions principles such as increased collaboration, shared responsibility between engineering teams that spans development and operations, removal of operational silos, and autonomous decision-making, all in the spirit of achieving greater speed and consistency. DevOps relies on methodologies that leverage automation, continuous integration and delivery, and treating infrastructure and application components as immutable.
These changes can place strains on existing security programs. DevOps-driven adoption of new technologies and processes may leave security as an afterthought or, in some instances, expose new gaps in security coverage and risk management. Security teams must therefore work toward a familiar set of goals for modern computing environments in ways that align with the approaches that engineering teams favor. This includes avoiding security incidents, breaches, and exposures; establishing security best practices and policies to be implemented on an organization-wide basis; managing resources to minimize operational overhead, alert fatigue, tool sprawl, and manual investigative workflows.
This has given rise to the concept of DevSecOps: the mashup of DevOps practices and security strategies as a means for every organization to increase protection and reduce risk to their modern software environments.
What exactly is DevSecOps?
DevSecOps holds the promise of helping to better align engineering and security teams by addressing the challenges outlined above. At the same time, it is not a panacea either. Rather, organizations should focus on integrating DevSecOps principles into the tools and processes they utilize to build, ship, and secure software, to the extent that this approach serves their needs.
DevSecOps is based on the idea that security is everyone’s responsibility and that collective attention on security across engineering and security teams can lower risk for their entire organization. To successfully achieve DevSecOps as a goal requires an organization to realize it impacts security in three important ways.
First, security controls must be integrated continuously across the entire software lifecycle from the time that application components are built to when they are running. Second, security that is implemented earlier in the lifecycle following a “shift left” approach can have an outsized impact on improving security and minimizing the overall operational overhead required. Third, it must be recognized that development engineers and DevOps end users are security users: they must be expected and empowered to implement and make independent decisions regarding security controls.
When adopted effectively, DevSecOps can enable an organization to secure their software environments with greater speed, at larger scale, and more comprehensively when compared to using traditional security strategies that were not designed to safeguard modern infrastructure and applications.
DevSecOps and Cloud Native Technologies
Cloud-native technologies such as Kubernetes, containers, microservices, and service meshes have become tremendously popular because they provide the building blocks, or “primitives,” necessary for organizations to build, deploy, and run applications more dynamically, reliably, and at greater scale than was previously possible. In particular, Kubernetes, the de facto standard in container orchestration, has seen widespread adoption, with 78% of the Cloud Native Computing Foundation (CNCF) community running it in production today. It allows businesses to unlock cloud environments’ full potential with faster time to market, cost savings, and greater operational flexibility.
However, those benefits also come with associated security demands. Kubernetes exposes organizations to additional risks due to the complexity involved in operating the system itself, which may result in administrator errors; new infrastructure components that are not secured by default; and the need to apply new security controls that were never previously required.
Security and DevOps teams must both consider it their responsibility to address these new challenges together. Security teams need to understand Kubernetes and cloud-native technologies sufficiently to establish relevant guardrails and controls. DevOps teams have to incorporate strong security protections in the workflows and toolchains they use to provision infrastructure and build software applications in Kubernetes environments.
Cloud-native technologies generally share several attributes that are key to fulfilling these aims and therefore present a strategic opportunity to accomplish security in new and better ways. These technologies are based on configuring environments and their resources in a declarative manner, they emphasize treating infrastructure and application components as immutable, they expose user-friendly abstractions, and they are extensible and flexible in how they can be used.
These attributes can importantly be leveraged as part of a DevSecOps approach and make it easier to integrate security both earlier and throughout the entire application lifecycle. Organizations can also take advantage of orchestration, automation, and declarative configuration to achieve highly scalable security and ultimately spend less time on remediating security issues by putting stronger controls in place and identifying security risks earlier before incidents arise.