How is DevSecOps different from SecOps?

Before we can talk about the importance of DevSecOps, you must understand first what SecOps is and why it matters. SecOps is a collaboration between security and operations to integrate the technology and processes to keep all systems and data secure.?Combining security and operations is important because of how wide of a footprint a company can cast today. You no longer have a neat and tidy network perimeter to control. In hindsight, it was very easy to secure a network; you had your boundaries and you made sure it was locked down tight. Fast forward to today and that neat and tidy network expands past the firewall of your simple network. You now have public cloud, private cloud, hybrid cloud, community cloud and they all have a multitude of devices that connect to them. Some examples include phones, tablets, and web services. In addition, endpoints exist in every corner of the world. This opens your network up to more risk that you have to mitigate to keep secure. This new perimeter needs to be buttoned up and this is why operations and security must collaborate to create a secure network.

Now that I have set the stage, let’s talk about what it looks like to combine Operations and Security to give you that buzz word called SecOps. With the ability of your company to scale to infinite endpoints and resources, you can’t look at security as just something you have get done. It cannot be an afterthought. If it is, this is how you can wind up getting hacked and paying 600k like Riviera Beach, Florida. SecOps is basically bringing in security in the beginning of a cycle and during every state of the planning and development. It is a management methodology that you implement across your entire business. This is where we introduce DevOps. DevOps is the ability to provide infrastructure as code. Instead of operations having to manually build infrastructure, they work with developers to help build infrastructure via code. For example, imagine you are a developer and you have to develop a new product, but before you can develop the product, you need specific hardware and software. This could take you weeks to get up and running and requires a ticket and someone in operations to help you. Weeks could go by before you are actually in position to test your code. With DevOps, you can automate this process and simply request via code operating systems and software to test your code in minutes.?

So, at this point, we learned about SecOps and DevOps. Let’s now look at DevSecOps and why it is so powerful. By 2024, cybercrime will cost about 8 trillion a year. With an ever-increasing amount of ways to connect to your network, you must be able to secure and mitigate this risk quickly. Marriott and Equifax were breached in the last year. Data breaches are costing millions and manual intervention is not the answer.?Because of these breaches, companies are investing millions of dollars into cybersecurity. Part of that investment is learning how to leverage DevSecOps.DevSecOps allows a company to quickly identify security issues early in the development process rather than after the product is released. This is very beneficial to preventing a breach since security flaws can be patched prior to a release. Basically, you have developers who are checking in code daily and automated tests are being run to make sure this code works on the product being delivered. The problem here is nobody is looking at security and that is where DevSecOps shines. You now have an avenue to automate running security checks prior to any deployment of software. Developers check-in code, smoke and integration tests pass and then a slew of additional security test are run and if they pass, this code can deploy to production. If they fail, the code is sent back to the developer to fix. In this scenario, you do not have to worry about software being deployed with back door security flaws that can be used by cyber criminals.?

Implementing DevSecOps will reduce your cost by finding these flaws early in the development cycle. In addition, it will keep your brand clean by avoiding bad press or data breaches. It ensures an automated way of reviewing your code and empowers developers to use secure design patterns and principles. This is very important. You are teaching your developers not only to write great code, but also to consider security in their code which in turn reduces costs and increases value. Additionally, you are regularly tearing down infrastructure and rebuilding it in an automated fashion. For example, you check-in code to build your product and security tests are run and everything passed. You deploy and then uncover a security flaw. You quickly check-in code that patches the flaw and you run all tests and redeploy. Because you are leveraging DevSecOps, you can quickly redeploy with zero manual intervention.?

Implementing an agile change can take time. Your first steps are to first break down silos between Operation, Security and Development. Once this is complete, you can begin to institute change by combining Operations and Security. This can be manual to begin with until you have a cohesive roadmap. Once complete, you pull development into the fold and begin to work through how to produce infrastructure as code that includes security. Over time, you should be able to easily build and tear down your entire product in code. This will allow you to react and mitigate any risk. It will not matter where the risk lives because you can quickly add a test case and a fix to your code and run tests. If they pass, you redeploy your code and lock down that risk immediately. As more security issues arise, simply rinse and repeat.