Pillars of DevSecOps security

The Principles and Security Pillars of DevSecOps

  • 6 min read
  • October 7th, 2023

This blog post discusses the principles and security pillars of DevSecOps, an extension of DevOps that integrates security into the entire development process. The post covers the three ways of DevOps, the three-layer approach of DevSecOps, and why DevSecOps is becoming increasingly important. It also discusses how to apply DevSecOps and what it is and isn't. DevSecOps aims to identify security risks early in development and address them before they become bigger issues, ultimately making software development more secure and reliable.

Watch the webinar The principles and security Pillars of DevOps

This blog is based on the webinar The principles and security Pillars of DevOps. You can rewatch the whole webinar here:

RELATED COURSE
Understanding DevSecOps

This course teaches you how security fits into the principles of DevOps. Learn the fundamentals of DevSecOps and adopt a DevSecOps mindset.

Start course

Table of Contents

In this blog, we will teach you the following:

  • What is DevOps?
  • What is DevSecOps?
  • Why is DevSecOps important?
  • The Three Ways of DevOps
  • Applying DevSecOps
  • What DevSecOps Isn't
  • Conclusion

What is DevOps?

DevOps is a cultural movement that began with the Agile Manifesto in 2001. The manifesto prioritised satisfying the customer through early and continuous delivery. DevOps emphasizes communication, collaboration, and integration between software developers and IT operations. DevOps aims to enable organizations to deliver software more quickly and reliably. By doing so, DevOps aims to help organizations meet the ever-increasing demand for software delivery, reduce time to market, and improve software quality. DevOps is not just a set of tools or practices but a way of thinking about software development. It involves breaking down silos between teams and creating a culture of collaboration, experimentation, and learning. DevOps is about delivering value to the customer by delivering high-quality software quickly and reliably, and it is a critical component of modern software development.

What is DevSecOps?

DevSecOps is a crucial extension of DevOps that prioritizes security by integrating it into the entire DevOps lifecycle. Instead of adding security as a separate step at the end of the development process, DevSecOps aims to build security into the development process itself. This way of thinking about security involves everyone in the organization, including developers, security teams, and operations teams. By emphasizing security throughout the development process, DevSecOps makes software development more secure and reliable.

DevSecOps is not just about automation or cloud adoption alone but also about software development that involves breaking down silos between teams and creating a culture of collaboration, experimentation, and learning. DevSecOps is a three-layer approach that starts with security education, addresses the quality of what is being delivered and finally, automation. DevSecOps aims to identify security risks early in the development process and address them before they become bigger issues. By doing so, DevSecOps makes software development more secure, reliable, and high quality.

Why is DevSecOps important?

DevSecOps is becoming increasingly important due to the growing number of security breaches. It aims to address this issue by integrating security into the entire DevOps lifecycle. By building security into the development process, organizations can identify security risks early on and address them before they become bigger issues. This approach makes software development more secure and reliable, ultimately improving the quality of the delivered software. DevSecOps is not just about automation or cloud adoption alone but also about software development that involves breaking down silos between teams and creating a culture of collaboration, experimentation, and learning. It is a three-layer approach that starts with security education, improving the quality of what is being delivered, and automation. By emphasizing security throughout the development process, DevSecOps makes software development more secure, reliable, and of higher quality.

The Three Ways of DevOps

In the book "The DevOps Handbook," Jin Kim and his colleagues describe the three ways of working that form the DevOps foundation and apply to DevSecOps. These ways are as follows:

  • Think of the system as a whole: This involves understanding the entire system and how each part of it contributes to the organisation's overall goals. This way of thinking leads to a holistic approach to software development that prioritizes the customer and the value delivered to them.
  • Amplify feedback loops: Feedback loops are critical to DevOps and DevSecOps. Organizations must seek constant feedback to identify areas for improvement and ensure that software development is meeting the customer's needs. Amplifying feedback loops involves making feedback faster and more frequent, which leads to faster identification and resolution of issues.
  • Create a culture of continual experimentation and learning: DevOps and DevSecOps require a culture of experimentation and learning. Organizations must embrace failure as a necessary part of learning and be willing to take risks to improve software development. This culture of experimentation and learning leads to continuous improvement and the delivery of higher-quality software.

In summary, the three ways of working that form the foundation of DevOps and DevSecOps are thinking of the system as a whole, amplifying feedback loops, and creating a culture of continual experimentation and learning. These ways of working prioritize the customer and value delivery, seek constant feedback, and embrace experimentation and learning to improve software development continuously.

Applying DevSecOps

DevSecOps is a three-layer approach that starts with security education. Knowledge is everything; understanding security risks is critical to building secure software. The second layer is about addressing the quality of what is being delivered. Improving the quality of software delivery improves security as well. The third layer of DevSecOps involves security automation, which entails breaking down security barriers and automating the interface between software development and security teams.

What DevSecOps Isn't

DevSecOps is not solely about automation or cloud adoption. Focusing exclusively on these aspects is insufficient for a successful DevSecOps practice. DevSecOps is not a job title but a function that everyone within the organization must fulfil. By building security into the entire DevOps lifecycle, DevSecOps involves all organisation members, including developers, security teams, and operations teams. This approach makes software development more secure and reliable.

Conclusion

In conclusion, DevSecOps is an extension of DevOps that focuses on integrating security into the entire DevOps lifecycle. DevSecOps aims to build security into the development process instead of adding it as a separate step at the end of the process. DevSecOps is a way of thinking about security that involves everyone in the organization, including developers, security teams, and operations teams. DevSecOps makes software development more secure and reliable by building security into the development process.

DevSecOps is a three-layer approach that includes:

  • Security education as the first layer
  • Addressing the quality of what is being delivered as the second layer
  • Security automation as the third layer

Continue reading