You’re probably reading this because you’ve never heard of the cryptic term DevSecOps, or you’ve heard of it but don't know what it means. Don’t worry, it’s not as complex as you may believe, and we’re here to help you grasp the concept. The term refers to “Development-Security-Operations”, a philosophy aimed at automating the software development cycle while integrating security throughout the process.
Watch the YouTube our video with Glenn Wilson: DevSecOps: Security & Efficiency with Glenn Wilson | Expert Insights & Real Examples
This blog is based on the YouTube video and our course Understanding DevSecOps. You can watch the whole CyberSec chat here:
This course teaches you how security fits into the principles of DevOps. In the hands-on lab, you will implement the DevSecOps principles into your automated Static Application Security Testing (SAST) process.
Table of Contents
In this blog, we will learn you the following:
- What is DevOps, and why was it created?
- Integrating Security into DevOps
- Implementing DevSecOps
- Related course
What is DevOps, and why was it created?
The Waterfall Delivery Process
Previously, software engineering teams were structured similarly to Henry Ford's standardisation technique in the production line. Each employee specialised in one task and passed the project down to the next specialist repeatedly, every day. This "Waterfall Delivery Process" formed an efficient means of churning software but came with drawbacks. The process was rigid, inflexible to change, incredibly late in the delivery cycle, and crippled innovation.
Today, teams are no longer built around projects. Instead, teams are built around products and last the duration of the product life cycle, from idea to sunset. This is where the concept of DevOps comes in. DevOps is more than just a change in practice; it's a shift in an organisation's philosophy. It requires change within team structures, software development, and funding. DevOps strives to deliver exceptional customer value with the product rather than focusing on project delivery.
Establishing a Culture of Learning and Experimentation
DevOps emphasises establishing a culture where learning and constant experimentation are encouraged. Knowledge and innovation are born from ongoing experiments and establishing a sense of mastery through repetition and practice. The entire team should understand and be able to define the system's state and introduce variations that disrupt the system's state. We can establish whether the variations lead to desirable states through these disruptions. This continuous process of trial and error provides a thorough understanding of the system and breeds innovation.
The 7 core principles of DevOps
DevOps describes seven principles that form the foundation of delivering value to customers:
- Customer-Centric Action
- End-To-End Responsibility
- Continuous Improvement
- Automated Infrastructure
- Toolchain Efficiency
- Continuous Testing
- Collaborative Culture
The principles collectively form the backbone of a strong DevOps culture within an organization. They act as a framework for applying security practices.
Integrating Security into DevOps
DevSecOps ensures that security is embedded in the seven principles of DevOps by building products while maintaining the confidentiality, integrity, and availability of data. Following these guidelines leads to many benefits, such as allowing for easy and local security implementation, improving security architecture, facilitating collaboration between security and development teams, and removing the blame for security incidents.
Implementing DevSecOps is an iterative approach to solving the problem and allows DevSecOps culture to develop over time. We must use an approach made up of these three layers:
- Secure by design
- Security by automation
- Security by education
We apply each layer, piece by piece until it's a solid foundation on which a DevSecOps culture thrives.
Learn more in our related course!
This blog briefly overviews what DevSecOps is and how to implement it. To learn more, check out our course, Understanding DevSecOps. In this course, we dive into the theory behind DevSecOps and put your team's knowledge into action with a hands-on lab.
"DevOps is more than a change in practice: it's a shift in an organisation's philosophy."