DevSecOps: A Security Checklist April 7, 2021 When it comes to IT, security has almost always operated from a position of prevention after the fact. With this approach, once a system is designed, security experts identify any defects or flaws, which are then fixed before it’s released. This traditional method has quickly been displaced by a new way of working, thanks to the explosion of public cloud, DevOps and agile development. This new approach to security is called DevSecOps. What is DevSecOps? To understand DevSecOps, it’s important to first understand DevOps. DevOps is a practice that brings development teams and IT operations teams together –– hence the name –– and focuses on rapid development with an emphasis on collaboration, communication, and the automation of software delivery and IT infrastructure changes. DevOps enables organizations to speed up releases, improve efficiencies, iterate continuously to better your product, respond to the market quickly, and build better products overall. In fact, the 2020 Global DevSecOps Survey conducted by GitLab, found that 82% of developers report they’re releasing code more quickly using DevOps. In recent years, security team members have become a critical third member of the DevOps process, adding the “sec” into DevSecOps. Working closely with developers and IT operations teams, security is taking a bigger role throughout the lifecycle of development. This means that security isn’t tackled in hindsight or as a final step of a product’s development –– it’s built right into the entire process. This includes embedding testing, monitoring, and reporting into the delivery pipeline. Rapid feedback loops are generated to report on the state of security across the system. The ideal, as articulated by one respondent of the GitLab survey is this: “We don’t have separate security, developers and operations; we are DevSecOps (and more).” Why Adopt DevSecOps? DevSecOps is an agile and modern response to traditional security. For organizations looking for more collaboration and transparency during development, DevSecOps is a smart option as it ensures the ‘secure by design’ principle. With security built right into the product, development can move faster and isn’t weighed down at the final stage before release. Many organizations find that alongside the quicker rate of delivery for code, DevSecOps also helps reduce expenses. Plus, adopting DevSecOps means that if a threat is discovered, it’s fixed much more swiftly. DevSecOps encourages a culture of openness from the very beginning of development and embeds security into the roles of everyone working on a project –– not a single individual or a specialized security team. Best Practices for DevSecOps While DevSecOps is still evolving, best practices are in place to get the most out of the approach. Here are five best practices to embrace as you implement DevSecOps in your organization. #1. Consider security a mindset, not a team With DevSecOps, security becomes everyone’s responsibility and priority. Create a culture where security becomes embedded across the process, not an add on. For DevSecOps to truly work, the whole team needs to be on board and no longer consider their areas of expertise in siloes. #2. Choose the right security tools Having the right security tools will be critical to a streamlined and successful DevSecOps process. They need to be fast, accurate, and shouldn’t require rechecks along the way. Additionally, they should help developers by identifying vulnerabilities and potential issues along the way. To ensure you’re choosing the right security tools, work with a managed cloud and security expert, like Carbon60. #3. Use automation with orchestration Automation allows the continuous streaming of processes including security, fixes, testing, audits, and governance. Decisions are easier to make when it comes to security as they’re based on repeatable processes and data points. #4. Engage a red team A red team looks at infrastructure and code from the perspective of an attacker. This viewpoint allows for a better understanding of the strengths and vulnerabilities of an application, service or cloud. Proactively and preemptively searching for threats can reduce major incidents down the road. #5. Invest in training For DevSecOps to succeed in your organization, your entire staff needs to understand how it works. Not only does it iron out any potential issues with processes, but it also helps to ensure that standards are properly implemented in order to release secure applications. DevSecOps is a Game Changer DevSecOps can be a game changer for how your company develops and releases code. If your organization is considering adopting DevSecOps, contact us to discuss your needs. We can help make sure you’ve got the right tools and processes in place. Carbon60 is an MSP dedicated to helping businesses maximize the performance and security of their core application infrastructure with an agnostic cloud approach using public and hosted private clouds. A partner with both Amazon Web Services and Microsoft Azure along with major cloud and data centre technology companies, we have the experience and the expertise to support organizations wherever they might be on their cloud journey. Contact us to learn more.