DevSecOps, short for Development, Security, and Operations, is a security-focused approach to rapid software development that represents an evolution of the philosophies, practices, and tools of traditional DevOps. DevSecOps aims to integrate security as a core component of the Software Development Lifecycle (SDLC).
The need for DevSecOps arose due to the increased speed at which teams develop and update software. Traditional software development follows a linear waterfall methodology that is slow by today’s standards, with cycles taking months or years. With that model, security teams would come in towards the end of the software development process. Today’s rapid, agile development ecosystem requires an integrated approach that partners with security from the beginning and throughout the entire lifecycle.
As often overused and misunderstood buzzwords, these concepts require a certain degree of demystification. Let’s look at RedHat’s model for understanding the core components of DevOps and where DevSecOps fits in:
DevSecOps builds on the framework mentioned above to include the following requirements:
The ultimate goal of a DevOps model is to accelerate the systems development lifecycle. The continuous integration (CI) and continuous delivery (CD) pipeline is the best way to deliver dynamic updates without downtime or maintenance windows — but it comes with security risks. According to the Verizon 2022 Data Breach Investigations Report (DBIR), 43% of breaches involved web applications.
Furthermore, existing DevOps processes don’t sufficiently monitor changes and ensure appropriate segregation of duties (SoD) between developers and operational staff. Segregation of duties – designing a workflow so that more than one person is required to complete or sign off on a task – relies on workflow roadblocks to increase security.
In software development, SoD takes a particular shape. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle – like design and development or inspection and approval – is crucial to reducing risk. In addition, proper SoD practices monitor and control software & data changes.
Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cybercrimes result from vulnerabilities discovered in a software’s code or design. Working to fix these problems in a later stage of development can be difficult and costly, which is why an approach that bakes in security from the start is so valuable.
Understandably, SoD methodology can put it at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability, even in the federal sector, where the emphasis tends to lean more towards security rather than speed. This emphasis is understandable; federal contractors and subcontractors often deal with highly-sensitive data, so security is critical.
By design, existing DevOps processes prioritize speed over security, presenting problems, mainly where compliance standards are crucial. At the same time, organizations must achieve efficiency and leverage new systems while working within a clear budget. How can they do this without compromising on security measures mandated by regulations?
The DevSecOps approach resolves these competing demands. It does this through a comprehensive identity solution, which can extend data access and governance into continuous integration and continuous delivery (CI/CD) pipelines. Traditionally, CI/CD pipelines automate the software delivery process by iteratively building, testing, and deploying code. In other words, they offer a nonlinear way of developing and managing code.
On their own, CI/CD pipelines can offer convenience and agility, but they can also present security problems. Toxic combinations – when mismatched permissions combine to allow actions above an intended access level – can spring up, and compliance can be harder to track.
Integrating CI/CD pipelines with an enterprise-level identity solution offers several benefits. Organizations that take this approach can:
Saviynt’s flexible self-service guarantees a frictionless access request process. All requests are analyzed against out-of-the-box control sets to provide in-depth visibility of access risk, informing approval decisions. Our Cloud PAM applies our intelligent access request capability to privileged access management automating access for low-risk requests while escalating anomalous ones for evaluation by approvers.
Saviynt creates temporary identities and scoped privilege elevation to command the power of the CI/CD pipeline when needed. Our browser-based console access capability builds a Zero Standing Privilege foundation which reduces risks often associated with keys or credentials that were lost, compromised, or forgotten and ensures compliance if an identity is compromised.