What is SecDevOps and Why Is It So Important?

What is SecDevOps?

  • Security as Code (SaC) — This is when you build security into the tools and practices in the DevOps pipeline. This means developed applications are automatically scanned by static application security testing (SAST) and dynamic application security testing (DAST) tools. As such, the priority is on automation rather than on manual processes (although manual processes are needed for security-critical areas of the application). Security as Code is an essential part of the DevOps tool chains and workflows. These tools and their automation must fit within the Continuous Delivery framework.
  • Infrastructure as Code (IaC) — This refers to the set of DevOps tools used for setting up and updating infrastructure components to ensure a hardened and controlled deployment environment. This often includes the use of tools like Puppet, Ansible, and Chef.Rather than making manual configuration changes or making adjustments using one-off scripts, IaC involves using the same code development rules to manage operations infrastructure. As such, a problem in the system means deploying a configuration controlled server rather than trying to patch and update deployed servers.

How Does SecDevOps Work?

  • First, a developer will create code within the system.
  • They will then commit changes to the system.
  • Next, another developer will retrieve the code from the system for analysis. This step involves analyzing the static code to identify security defects or bugs.
  1. Using IaC tools like Puppet, Chef, and Ansible to create an environment that allows the deployment of the application and applying security configurations to the system
  2. Executing a test automation suite against the newly deployed application, encompassing backend, integration, API, security, and UI tests.
  3. Performing automated dynamic testing of the deployed application in a test environment.
  4. Deploying the application to a production environment after passing these tests
  5. Continuous monitoring of the production environment for any active security threats.

Effective Approaches Towards SecDevOps

Begin With Secure Development and Training

Embrace The Idea of People-Centric Security

Use Effective Version Control Tools and Practices

Empower Your Team By Automating Regular Functionalities

The Benefits of SecDevOps

  1. Greater speed and agility for security teams
  2. An ability to rapidly respond to changes and needs
  3. Better collaboration and communication among teams
  4. More opportunities for automated builds as well as quality and security testing
  5. Early identification of vulnerabilities in code
  6. Automation to free up team member assets to work on high-value tasks

Final Thoughts

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store