DevOps! Great! Push it live, quick and fast! DevOps, which officially was born in 2008 [1], is getting more and more popular in software development companies. DevOps software tools alone are already generating an estimated worldwide revenue of $11.9 billion in 2020, only to grow in strong double-digit figures for future years to come [2]. It is clear that DevOps is here to stay and results in more efficient and faster software delivery cycles.
The rise of DevSecOps
Being able to easily push things live also comes at a cost. The easier it is to push new features out, the higher the security risks. In addition, most companies’ DevOps setup lacks maturity and they do not have the required quality checks and tests in place before going live. These quality and security risks are often neglected until it’s too late and a security breach has already happened. As described in spriteCloud’s whitepaper ‘Dispelling the Illusion of Security’ monetary damages caused by cybercrime amounted to $3.5 billion globally in 2019.
In short, Security within DevOps is, in most cases, not getting the attention that it should get. This is where DevSecOps comes into play. DevSecOps have been invented to address this lack of focus on security in ‘regular’ DevOps pipelines.
Start with your DevSecOps implementation
As with DevOps, there are also several aspects to take into account when ‘upgrading’ to DevSecOps. DataDog created an excellent whitepaper about DevSecOps maturity models [3]. What you will find in there are four levels of maturity across all the different aspects of software development. E.g. people and culture play an important role in security, as well as the release process and tools themselves. Getting started with DevSecOps means you will first need to identify at what stage your team is in terms of security awareness. This can range from complete ignorance, and not having any tests and checks in place, all the way to having your own Ethical Hacker within the team working closely with the developers.
After the awareness has been created within the team it is time to focus on the tooling and vulnerability scans and integrate them into your pipeline. At spriteCloud, we have been designing just that, with Brazen Sentry. It is a framework that can be integrated into basically any DevOps pipeline. spriteCloud’s DevSecOps group has created a setup that runs tests and scans the analysis in parallel, collecting the results and creating reports that are visible through an overall dashboard.
Due to the flexibility of the setup we are able to integrate many state-of-the-art and popular security test tools and scanners like Burp, Owasp ZAP and Nessus. Depending on the development pipeline and whether or not access to the source code is available, spriteCloud is also able to set up and integrate security and quality tests at the code level, such as SonarQube.
Beyond awareness and security tests
Obviously, with scans and tests alone you will not make your software more secure. A security expert will need to be included in the process in order to review and assess the reports on a frequent basis and provide feedback on the real risks that are detected, so they can be acted upon. As part of the scanning setup, spriteCloud is also able to analyse the results and provide recommendations and feedback on a regular basis by certified professionals.
All in all, we can say that moving from DevOps to DevSecOps requires awareness of security (risks), implementation of security scans and tests as well as a process to act upon security risk findings. Once you have a true DevSecOps setup, you are better shielded against security threats and do not risk hurting your bottom line or even losing your business due to a security breach.
spriteCloud is happy to guide you and help you to integrate the Sec in your DevOps pipelines and processes. spriteCloud has been in the business of testing and quality for over +12 years so we understand the importance of identifying risks, quality and security better than anyone else.
