DevSecOps in Government
Government product development is challenging–from the breadth of the diverse user base to the required scaling and reliability of their technology products. Users include all types of people, generations, ethnicities and languages who expect their products to be robust, resilient and recoverable. One of the most challenging aspects, for any product, is protecting information. Any breach, particularly with government products, can immediately erode trust that may have been built up over years of hard work. Taking an agile approach to integrating development, security and operations (DevSecOps) ensures security is built into the entire pipeline.
This article will define DevSecOps and describe how it can be used in product development.
What is DevSecOps?
First, what is DevOps? DevOps is a set of agile practices that works to automate and integrate the processes between software development and typical IT infrastructure, so they seamlessly build, test, and release software products faster and more reliably as a cross-functional team. The term DevOps was formed by combining the words “development” and “operations” and signifies a cultural shift that bridges the gap between software development and IT operations, which historically functioned in siloes.
DevSecOps is the philosophy of integrating security practices within DevOps from the very beginning. It involves creating an agile ‘security as code’ culture with ongoing, flexible collaboration between software development, IT operations and security expertise. Rather than dealing with security issues as a separate team, after all development and other testing is done, you build security into the definition of done every sprint. The goal of DevSecOps is to bridge traditional gaps between IT and security while ensuring fast, safe delivery of software.
DevSecOps is a response to the bottleneck effect of older security models. Traditional security gates were put in place to ensure products were not released unless they successfully passed security requirements and testing, usually by a separate security division, often in the last steps in the software development process. Through a DevSecOps approach in conjunction with continuous integration and continuous deployment (CI/CD), security testing is implemented through daily automation as part of the sprint level definition of done, as well as addressed during release cycles through “red team” testing as part of the release level definition of done.
With agile teams actively engaging in emerging design, delivering software value and quality, and adhering to regulatory requirements, security is no longer the concern of just the security team; it’s everyone’s responsibility.
It also means automating some security gates to help keep the DevSecOps workflow from slowing down. Selecting the right tools to continuously integrate security can help meet these goals. However, effective DevSecOps requires more than new tools—it builds on the cultural changes of DevOps to integrate the work of security sooner rather than later. DevSecOps is about built-in security, not security that functions as a perimeter around apps and data.
How do agile organizations use DevSecOps?
Security isn’t something that can be added to software as an afterthought – risk-mitigating security measures have to be embedded into the process from inception to delivery and beyond. Each requirement starts as an idea, gets coded, tested, integrated, documented, approved, and deployed resulting in feedback from the marketplace.
Examples of how agile product development teams embed risk-mitigating security measures into product development are:
- As ideas, user stories may be used to describe desired secure functionality and outcomes.
- When coding, teams may use test-driven development or pairing to ensure a quality, secure product as it is developed.
- Through continuous testing and integration, they may use scanning or static code analysis, penetration testing, compliance testing, load testing, origin analysis testing, and other approaches to bolster confidence in the security robustness of the product.
- When deploying, teams ensure the same images built during coding are the same images deployed to the users. A DevSecOps pipeline automates the deployment and automates many of the unit and regression tests.
- When maintaining products, after being released to users, mutations and vulnerabilities can be exposed through periodic vulnerability scanning.
These risk-mitigating measures become included in the team’s definition of done. Product owners are quick to reject product increments that are not “done” or insecure.
When defects are identified, agile teams can adapt easily to address unforeseen security issues. Agile approaches work quite well for teams organizing their work for the long view as well as responding to changes as they occur. It’s everybody’s job to be concerned with creating secure, stable products, but with developers outnumbering security professionals 100 to 1, it’s just not possible to have deep security expertise on each team. Through standards and automation, DevSecOps extends DevOps to integrate solid security practices and tools into the delivery operations process, enabling teams to achieve the appropriate level of security assurance and confidence.
Security training is another aspect organizations using DevSecOps promote. Organizations often support communities of practice or guilds that can leverage their security experts to ensure healthy security practices are learned, understood and employed by all cross-functional product development team members. Security, operations stakeholders and subject matter experts also have an opportunity to attend sprint reviews where they can provide feedback and guidance. Concerns or findings are discussed. The product owner considers security feedback for addition and prioritization in the product backlog along with all the other feedback.
Where to begin?
Begin where you are. Begin by analyzing your product’s security strengths, weaknesses, opportunities and threats. Are there changes that can be made to your definition of done to improve product security? Perhaps there are standards or automation that can improve security practices for everyone. Is there security testing that can be run as part of your CI/CD pipeline or independently to highlight potential threats? If so, use this information to adapt your development approach. Inspect and adapt.
DevSecOps seeks to enable product development such that security is intrinsic in the process and products. This approach is essential in modern systems, and especially in more highly regulated settings such as products for use by governments. DevSecOps emerged as organizations grappled with weaving security into the entire software development process from end-to-end, all while avoiding unnecessary burdens that could slow delivery. The keys for successful DevSecOps are:
- Security is considered from the very beginning and embedded using the team’s definition of done throughout the product development process creating the “security as code” culture
- Close daily cross-functional collaboration between software development, operations and security skilled people
- Automation and agile approaches enable DevSecOps
- Security becomes everyone’s responsibility through awareness, training, and ownership.
Contact us. We can help you incorporate DevSecOps best practices and build a sustainable “security as code” culture.