DevOps is an evolving philosophy, and now is the time–just as you start embracing DevOps in your organization–to start building security into both your DevOps philosophy and processes. DevOps philosophy started with the core principles of W. Edwards Deming’s points on Quality Management, binding the development of services and their delivery to IT Operations. As we apply Deming’s principles to software development and IT organizations, we’re working to improve the overall quality of software systems. Read on to learn how to get a running start with DevSecOps.
Automation is Essential for DevSecOpsWe think that automating the process, particularly using Continuous Integration (CI) and Continuous Delivery (CD) tools, is essential for successful adoption of DevSecOps.
- Continuous integration. Allows a developer to integrate changes into the source code mainline as they finish writing a piece of code.
- Continuous delivery. Allows system components to be updated as needed, rather than waiting to deliver component updates in the next full release.
- Continuous deployment (also known as CD). Allows applications to be continuously deployed, often to just part of the user base at first, then later to the entire user base if the deployment is successful.
“While enabling organizations to develop software with more efficiency and speed, the DevOps process also dramatically expands risk through software exposure,” said Emmanuel Benzaquen, CEO, Checkmarx.
Beyond the Acronyms Lies a Secure SDLCFor many organizations, DevOps, CI, CD (and CD again) just amount to a lot of acronyms and words that are difficult to turn into their ultimate goal—a secure software development lifecycle (aka an SSDLC). As is so often the case, the Open Web Application Security Project (OWASP) provides a model for integrating security into any existing SDLC, which they call the Software Assurance Maturity Model. Applying this model in an organization is comprised of six basic steps, as follows:
- Assess: Ensure a proper start of the project by defining scope, identifying stakeholders, and spreading the word so people understand what you’re doing and why.
- Assess: Identify and understand the maturity of your scope in each of the 12 software security practices.
- Set the target: Develop a target score to use to measure against, to guide you to act on the most important activities for your situation.
- Define the plan: Determine a change schedule and develop or update your roadmap plan. It’s important to have a realistic change strategy in terms of number and duration of phases. Identify quick wins you can make early on.
- Implement: Work the plan by implementing all activities in this period, considering their impact on processes, people, knowledge, and tools.
- Roll out: Make sure that improvements are available and visible for everyone involved. Organize training and communicate the improvements to the team, then measure the adoption and effectiveness of the improvements implemented.