What is SecDevOps?
SecDevOps (also known as DevSecOps and DevOpsSec) is the process of integrating secure development practices and methodologies with development and deployment practices. It integrates Security as a key component with DevOps processes.
What is DevOps?
DevOps is a set of practices that combines software development (Dev) with IT operations (Ops). The goal with DevOps is to shorten the system development lifecycle and provide high quality software with tools like Continuous Integration and Continuous Delivery pipelines. DevOps is not the same as Agile Development, but can use Agile practices as part of DevOps to achieve it’s goals. It also has an added benefit of also integrating Quality Assurance (QA) as part of the processes.
Traditional Development and Operations
Traditionally, Development and Operations were two separate silo-ed departments within the organization. When it came time to deploy an application or release a feature for the application, the two departments would come together and figure out what the dependencies are and the resources will be needed to deploy the application. Once the deployment was over, they’d go their separate ways, and come back when the next deployment happens.
There are may problems with the traditional approach to development and operations model. The major one was that communication broke down the minute a deployment was over, and it had to be restarted when the next deployment was beginning. It also meant that the subject matter experts who developed the application were completely removed from the day-to-day operations of the application.
Another major issue with this was that the talent pool for operations drastically differed from the talent pool for development. A operator might not have the same skillset needed to identify the problem in production, which a developer would have because they wrote the code. Likewise, a developer would never see potential issues that is only seen in production but never seen in development and testing environments.
For example, suppose the operations team notices that one page in a web application takes 10 seconds to load. This is absolutely unacceptable by any standards. The operations team doesn’t have the skillset to speed up the web application, and there is also time and resources spent to get this issue reported back to the development team. The solution might be to actually implement a caching system, or minimize the number of repetative queries, but this can’t be communicated by an operator to the developer.
Traditional development and operations processes were slow and required a lot of resources that slowed down the business and it’s need to be competitive.
How DevOps Dissolved Silos
DevOps was built as a way to break down these traditional silos between departments in an organization. It used tools and newly available technologies to allow for the integration of Development with Operations. This meant that the Developer need to be intimately familiar with operations, and Operators need to be intimately familiar with development.
So suppose in the traditional methodology, we have a development team of 10 members, a operations team of 5 members, and a database team that offers database management and support. The way DevOps broke this apart is that we’d have smaller teams with 3 developers, 1 operator and 1 database subject matter expert. This way, the organization would go from having 3 teams within their own silos, to multiple small teams that focused on specific aspects of the application. If the operator in the smaller team runs into an issue, they can consult the developers quickly and conduct with other operators from their operations team if needed.
Now, with DevOps, each smaller team can focus on specific feature sets of the application. The smaller team can use automation tools like Ansible to setup a development virtual machine that has codified infrastructure code from the operator, and application code from the developers, with input on how to do things properly from the database management expert.
DevOps in 2021
This was how it was soon after DevOps came into the scene, but in 2021, what we see is that Developers are intimately familiar with Operations and Infrastructure code that they write infrastructure code as they write development code. Developers have also acquired skills needed to do some database management, but database management still ends up being their own teams because they need to be moved around as issues creep up. The database management teams also use DevOps methodologies for themselves and act like they are their own DevOps team since databases often need development of scripts and operations performed on the database infrastructure.
DevOps vs SecDevOps
As shown in the diagram above, DevOps has multiple phases. Each phase typically has 1 or more tools required for it to function well. Here are some example of tools that work really well with each stage of DevOps:
Planning: Using a ticket management system like JIRA or Redmine to track issues and features.
Build: Using frameworks and languages to build out the code for the infrastructure, like Ansible or ChefDK.
Continuous Integration and Continuous Delivery (CI/CD): Using a build and test running tool like Gitlab Runner or Jenkins.
Operations: Using tools such as Splunk or Kibana for Log monitoring, New Relic and DataDog for monitoring applications and security, and Google Analytics for user analytics, we can monitor how applications are behaving in real-time with users, and plan for up-scaling or down-scaling resources based on demand.
Continuous Feedback: We get continuous feedback from logs, security and user behavior in operations. With this data, we can modify our planning stage and update tickets based on the feedback.
Where SecDevOps comes in is that it is integrated through all these phases. SecDevOps integrates Security as a crucial component into the DevOps paradigm. Integrating Security in each phase means that in Planning, we consider the design of our system’s features with an input from security. While Building and going thru the CI/CD process, each line of code and each dependency is checked with tools such as Codacy and SonarCube to verify their safety and security. Finally in Operations, we incorporate Intrusion Detection Systems and Intrusion Prevention Systems to make sure that business operations are conducted in a secure and proper fashion.
SecDevOps vs DevOpsSec vs DevSecOps
Now that we know what SecDevOps is, let’s find out what the other variations of this term are. In simple terms, it simply refers to where the integration of security takes place in the DevOps paradigm.
SecDevOps: Integration of security in development processes.
DevOpsSec: Integration of security after development.
DevSecOps: Integration of security into development testing.
The way security is integrated to a project really depends on the project specific needs and what the project’s priorities are.
Conclusion
As you can see SecDevOps is a development, operations and a business philosophy and ultimately a paradigm shift in the way we build software and infrastructure on the cloud. It requires multiple steps and multiple tools to be used in synchronization to achieve business goals. It also requires the teams to adjust how they think and how they build software. It promotes cross-collaboration between what were independent departmental silos and allows the business to be more nimble and adapt to changes quickly.