DevSecOps is an approach to application development that emphasizes collaboration between the development, security, and operations teams. Security is introduced early and is continuously monitored throughout the development lifecycle so a secure application can be rapidly released with fewer security-related bottlenecks when it reaches production.
Companies that adopt a DevSecOps approach need tools that can facilitate this shift, which relies heavily on automation and agility. The cloud offers businesses the flexibility and the services they need to support rapid development and deployment.
Microservices
Applications used to be developed as one monolithic entity, built as one complete unit with a presentation layer, a business logic layer, and a database layer, all located on one server. This posed a problem, however, when updates needed to be made, as one change had the potential to impact the entire application, making it difficult to quickly add features or fix vulnerabilities. Microservices pose an alternative to this monolithic method, offering the ability to develop an application in a series of smaller services running independently, connected by APIs to form an application.
Microservices offer the flexibility to scale specific features, add new services, and make changes to one component without needing to change the entire system. Cloud containers have developed as the ideal deployment vector for microservices as they are more efficient to run than virtual machines and can be run on any platform. This is ideal for DevSecOps as it means it is easier for teams to spin up new environments for development and testing without taking up as many server resources as a virtual machine or being limited by a specific OS. It is nearly impossible to adopt a true DevSecOps approach without the ability to deploy microservices in containers and the flexibility and scalability that this provides applications.
Automation
A key tenet of a DevSecOps approach is agility and the ability for continuous integration/continuous deployment and rapid release. Rapid release is not possible if you’re relying too heavily on the human element. Manual processes are an impediment to DevSecOps, which is why the automation that cloud technology provides is crucial.
To start, container management platforms, such as Kubernetes, offer automations that can assist with efficient deployment. Kubernetes will automatically maintain a “desired state,” creating new containers and eliminating containers as needed. If configured properly, it is also “self-healing,” meaning that it will automatically restart failed containers and kill containers that don’t respond to health checks. This automation allows developers to focus on the development of the application and less on the scaling of resources to support the application.
Another key feature that the cloud provides is automated tooling that can address security concerns. DevSecOps is all about speed, but that speed can not be allowed to result in vulnerabilities and misconfigurations that introduce risk to the application. As security shifts left, automated cloud security tools help detect problems earlier in the development lifecycle and act as another line of defense, catching security issues that may be overlooked in the rush to production.
Cloud workload protection platforms are one such tool that detects and performs vulnerability scans on cloud workloads such as containers. These tools can be integrated into the CI/CD pipeline to provide security checks without additional roadblocks. Other tools, such as static application security testing (SAST), analyze at the source code level to identify errors as early as possible in the development lifecycle. These, too, can be utilized in the integrated development environment (IDE) and automated so that a build will fail if it does not meet security requirements. Developers are able to see and fix issues as they code, maximizing efficiency.
Infrastructure-as-Code (IaC)
Just as DevSecOps requires flexibility in the creation of new environments, it also requires reliability. Traditional methods of infrastructure provisioning relied on scripts and manual processes, which offered a high potential for inconsistency. This is not ideal for DevSecOps as it can cause bottlenecks in deployment if infrastructure is not provisioned as expected. Infrastructure-as-code is a methodology in which the same standards that apply to application code are applied to infrastructure, meaning that configurations are clearly defined in a repeatable way and are stored in a source control system, just as application code would be.
There are a number of tools that support infrastructure management and provisioning, many of which are platform agnostic and work across hybrid environments, though the major cloud service providers have their own proprietary tools as well. Newer tools take into account the benefits of IaC for DevSecOps and design their tools to be developer first by offering capabilities such as support of any programming language. IaC tools offer the benefit of increased efficiency, which is essential for continuous deployment.
Next Steps
Interested in learning more about cloud security? Download RH-ISAC’s Cloud Security Resource Guide, which provides retail and hospitality cybersecurity professionals with a roadmap for their transition to the cloud. It provides information on selecting the right infrastructure, avoiding misconfigurations, and implementing policies such as zero trust and least privilege.
Members also have access to application security resources through RH-ISAC’s Software Security Working Group which tackles challenges in product security, application security, and software security fields. Topics include DevSecOps, cloud security, security champions, security by design, shifting left, and security automation tooling (e.g., DAST, SAST, IAST). Not a member? Learn more about how being a part of the RH-ISAC’s member community can benefit you.
