Understanding DevSecOps and Its Challenges

It is fascinating to see how far the world of software development and CI/CD automation has progressed in such a short period. It shows no sign of slowing down, either. Thanks to a constant need to address security during infrastructure creation, development, and delivery, there is a definite shift in methodology to handle those and other challenges. Enter the new world of DevSecOps.

The Shift-Left Approach

The DevOps movement has progressed to being less of a siloed team and more of a methodology.  A major portion of what DevOps does revolves around infrastructure and the software delivery process. It only makes sense to find opportunities to automate security and policy enforcement processes. By putting the onus on everybody to be aware of security, DevSecOps promises to help teams “shift-left” to resolve security issues earlier in the application deployment process.

This shift-left approach is achieved by enabling developers to implement proactive scanning during their local workflow in addition to automated scans within build and delivery pipelines. This method is meant to prevent vulnerable code from ever reaching production. In some cases, this approach can even guard against allowing commits to be pushed to the codebase itself. Injecting the security aspect into an already mature DevOps culture is a matter of identifying areas where security should be put at the forefront.

Where a DevSecOps Approach Shows Real Value

Here are some examples of opportunities where a DevSecOps approach shows real value:

●  The decision making process. Since DevSecOps is a methodology and not just automation, everyone involved should keep security in mind. This includes stakeholders having direction that may significantly affect the application. Ensuring everyone has the same mindset towards the security aspect of DevSecOps will help prevent introducing more vulnerabilities or failing to properly implement the recommended best-practices required for various industry certifications.

●  Initial Design and Architecture. Today’s cloud and hybrid cloud environments have allowed much more freedom to developers when standing up new infrastructure. Using a combination of templates in conjunction with proper orchestration allows that freedom while still ensuring security is implemented as outlined by policy. This consistent method of resource creation helps drive a standardized and controlled development workflow that keeps security in mind from the ground up.

●  At the Developer level. By using best practice guidelines and keeping with policy, developers are the first line of defense to prevent possible security policy violations. Besides keeping up with the latest trends and data security standards, developers can implement tools that also assist in scanning for some of the more commonly known security vulnerabilities. For example, pre-commit hooks in Git provide a means to ensure code is scanned prior to being submitted to the codebase.

●  During the CI/CD process. Either through a built-in mechanism, or by using third-party integrations, teams can use their current cloud security and devops automation to implement scanning within the pipeline. Consider the OWASP Top Ten. These 10 items are “globally recognized by developers as the first step towards more secure coding.” Using this baseline, methods are available to address each item by using tooling that can be implemented in an existing CI/CD pipeline.

One challenge to consider is that there is no “one size fits all” approach when it comes to toolsets meant to help implement DevSecOps. Some choose to work in an environment with many tools while others pick a more all-in-one approach. In both cases, moving to the DevSecOps mindset allows the entire team to take responsibility for making sure security is included in their piece of the development process.

How Cloudify Helps Establish a DevSecOps Culture

The ability to consistently spin up resources that duplicate a production environment is a critical feature needed for a solid DevSecOps CI/CD implementation. This can be extremely challenging. Thanks to the approach of Cloudify that uses blueprints with an intuitive interface, development environments can be instantiated that duplicate the entire application landscape. From storage to compute, all items are created and in such a state that they can be migrated from on-prem to cloud, and even from one cloud provider to another.

This is a great example of another movement in the development world, Infrastructure as Code (IaC). Products like Ansible, Terraform, and SaltStack are used in situations that require complex and consistent infrastructure creation and configuration. Oftentimes, these products utilize a scripted approach that takes one or more input files. For that reason, it makes these tools extremely compatible for automation. For those familiar with Chef, this would be the “cookbooks” created to define the environment.

In most cases, using just one of these tools in your enterprise’s environment will have an important impact in establishing a DevSecOps culture. In addition to simplifying aspects of software development like branching and code reviews, these tools are prime candidates for additional orchestration via Cloudify’s open source lifecycle management.

Strategic Cost Control

All this additional scrutiny on security comes with additional responsibility to act on findings. Some teams are stuck in a cycle of having to prioritize new features over handling technical debt. This type of debt, while not directly financial in nature, can eventually cause loss in other ways. Now more than ever, focusing on items surrounding security and policy should be prioritized above new features or cosmetic issues.

Making It All Work Together

It is true that any little bit helps. What Cloudify offers is a comprehensive solution to support DevSecOps methodology.  – Cloudify provides End to End orchestration that takes into account what you have already worked hard to put in place. By using service definitions, even the most complex solutions have the ability to be automated in a way that accepts today’s major tool sets as well as having the ability to be executed on-prem and on multiple cloud providers.

Simplifying is key to providing a path to automation that makes sense to more than just any one team. Cloudify’s offerings promise to do just that by bringing all the pieces together. From design, creation, deployment and beyond, using Cloudify to orchestrate the critical aspects will help any team establish a DevSecOps mindset.