What is DevOps?
What is DevOps?
DevOps is a shorthand term that combines “development” and “operations.” It represents a combination of philosophies, practices, and tools that increase the speed and agility with which organizations can develop and ship applications and services.
Let’s examine RedHat’s model for understanding the core components of DevOps:
Core Components of DevOps
- Agile framework implies shorter development cycles and fewer changes.
- Build-once, run-anywhere development refers to containers that enable devs to code, build, run, and test separately from operational resources.
- Everything-as-code makes your code work as documentation to help future resources unfamiliar with the application or environment.
- Automation of unit testing, code analyses, and image scanning in CI/CD pipelines informs developers of required changes.
- Communication and Collaboration bridge the team gap, focusing on learned lessons, encouraging reasonable failure, and setting realistic goals.
Practically speaking, DevOps breaks down the traditional siloes between development and operations teams, increasing communication and enhancing the efficiency between these core functions.
DevSecOps vs. DevOps
DevSecOps, short for Development, Security, and Operations, is a security-focused approach that represents an evolution of traditional DevOps. DevSecOps aims to integrate security as a core component of the Software Development Lifecycle (SDLC).
Due to the increased speed at which teams develop and update software under the DevOps model, the security function has become increasingly important. The traditional SDLC follows a slow linear waterfall methodology, with cycles taking months or years. Under that model, security teams would come in towards the end of the process. Today’s rapid, agile development ecosystem requires an integrated approach that partners with security from the beginning and throughout the entire SDLC.
DevSecOps builds on the DevOps framework to include the following requirements:
- Automated security checks as a part of your SDLC
- Homogenous security controls for repeatable development environments
- Version-controlled CI pipeline
- Processes for implementing organizational or team-wide changes to pipelines and facilitating post-incident security investigations
- Thorough documentation using declarative methods that enable security as code
- A culture that encourages innovation and tolerates the failure that accompanies it
How DevOps Impacts Your Business
Though the ultimate goal of a DevOps model is to accelerate the SDLC, businesses reap additional benefits. The DevOps approach allows for greater agility, helps to maintain stability and reliability, and improves recovery times. Despite these benefits, they’re not without inherent security risks.
The Continuous Integration (CI) and Continuous Delivery (CD) pipeline is the best way to deliver dynamic updates without downtime or maintenance windows — but it comes with security risks. According to the Verizon 2022 Data Breach Investigations Report (DBIR), 43% of breaches involved web applications.
Furthermore, existing DevOps processes don’t sufficiently monitor changes and ensure appropriate separation of duties (SoD) between developers and operational staff. Separation of duties — designing a workflow so that more than one person is required to complete or sign off on a task — relies on workflow roadblocks to increase security.
In software development, SoD is a fundamental security practice. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle — like design and development or inspection and approval — is crucial to reducing risk. In addition, proper SoD practices monitor and control software and data changes.
How SoD Reduces Risk
Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cyber crimes result from vulnerabilities discovered in software code or design. Working to fix these problems in a later stage of development can be difficult and costly, so an approach that bakes in security from the start is a top priority.
Understandably, SoD methodology can be at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability — particularly in the federal sector, where contractors and subcontractors emphasize security over speed for highly-sensitive data.
Moving Beyond DevOps
By design, existing DevOps processes prioritize the opposite: speed over security. This presents problems where compliance standards are crucial. At the same time, organizations must achieve efficiency and seek out new systems while working within a budget. How can they do this without compromising on security?
Balancing Competing Demands
The DevSecOps approach resolves these competing demands through a comprehensive identity solution that extends data access and governance into CI/CD pipelines. Traditionally, CI/CD pipelines automate the software delivery process by iteratively building, testing, and deploying code. In other words, they offer a nonlinear way of developing and managing code.
On their own, CI/CD pipelines can offer convenience and agility, but they can also present security problems. Toxic combinations — such as mismatched permissions combining to allow actions above an intended access level — can spring up and make compliance harder to track.
Integrating CI/CD pipelines with an enterprise-level identity solution offers several benefits. Organizations that take this approach can:
- Identify inappropriate access or toxic access combinations that lead to SoD violations.
- Verify continuous compliance by adding tracking of access requests.
- Create an agile, quick, and secure development environment.