DevOps is a shorthand term that combines “development” and “operations.” It represents a combination of philosophies, practices, and tools that increase the speed and agility with which organizations can develop and ship applications and services.
Let’s examine RedHat’s model for understanding the core components of DevOps:
Practically speaking, DevOps breaks down the traditional siloes between development and operations teams, increasing communication and enhancing the efficiency between these core functions.
DevSecOps, short for Development, Security, and Operations, is a security-focused approach that represents an evolution of traditional DevOps. DevSecOps aims to integrate security as a core component of the Software Development Lifecycle (SDLC).
Due to the increased speed at which teams develop and update software under the DevOps model, the security function has become increasingly important. The traditional SDLC follows a slow linear waterfall methodology, with cycles taking months or years. Under that model, security teams would come in towards the end of the process. Today’s rapid, agile development ecosystem requires an integrated approach that partners with security from the beginning and throughout the entire SDLC.
DevSecOps builds on the DevOps framework to include the following requirements:
Though the ultimate goal of a DevOps model is to accelerate the SDLC, businesses reap additional benefits. The DevOps approach allows for greater agility, helps to maintain stability and reliability, and improves recovery times. Despite these benefits, they’re not without inherent security risks.
The Continuous Integration (CI) and Continuous Delivery (CD) pipeline is the best way to deliver dynamic updates without downtime or maintenance windows — but it comes with security risks. According to the Verizon 2022 Data Breach Investigations Report (DBIR), 43% of breaches involved web applications.
Furthermore, existing DevOps processes don’t sufficiently monitor changes and ensure appropriate separation of duties (SoD) between developers and operational staff. Separation of duties — designing a workflow so that more than one person is required to complete or sign off on a task — relies on workflow roadblocks to increase security.
In software development, SoD is a fundamental security practice. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle — like design and development or inspection and approval — is crucial to reducing risk. In addition, proper SoD practices monitor and control software and data changes.
Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cyber crimes result from vulnerabilities discovered in software code or design. Working to fix these problems in a later stage of development can be difficult and costly, so an approach that bakes in security from the start is a top priority.
Understandably, SoD methodology can be at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability — particularly in the federal sector, where contractors and subcontractors emphasize security over speed for highly-sensitive data.
By design, existing DevOps processes prioritize the opposite: speed over security. This presents problems where compliance standards are crucial. At the same time, organizations must achieve efficiency and seek out new systems while working within a budget. How can they do this without compromising on security?
The DevSecOps approach resolves these competing demands through a comprehensive identity solution that extends data access and governance into CI/CD pipelines. Traditionally, CI/CD pipelines automate the software delivery process by iteratively building, testing, and deploying code. In other words, they offer a nonlinear way of developing and managing code.
On their own, CI/CD pipelines can offer convenience and agility, but they can also present security problems. Toxic combinations — such as mismatched permissions combining to allow actions above an intended access level — can spring up and make compliance harder to track.
Integrating CI/CD pipelines with an enterprise-level identity solution offers several benefits. Organizations that take this approach can:
Saviynt’s flexible self-service guarantees a frictionless access request process. All requests are analyzed against out-of-the-box control sets to provide in-depth visibility of access risk and inform approval decisions. Our Cloud PAM applies our intelligent access request capability to privileged access management automating access for low-risk requests while escalating anomalous ones for evaluation by approvers.
Saviynt creates temporary identities and scoped privilege elevation to command the power of the CI/CD pipeline when needed. Our browser-based console access capability builds a Zero Standing Privilege foundation which reduces risks often associated with keys or credentials that were lost, compromised, or forgotten — and ensures compliance if an identity is compromised.