DevSecOps? Gesundheit.
Pardon the humor, but to some people in the software development industry, DevSecOps is just another buzzword thrown around with little meaning.
Let me assure you, this is hardly the case.
Whether you’re an executive doing your due diligence and trying to understand the custom software development process or an industry professional here for convincing, this blog provides an overview of DevSecOps, and why it matters.
What is DevSecOps?
DevSecOps is more than a fleeting term some people on LinkedIn throw around to make themselves seem more _in the know_ or _super smart_; it’s a workflow that provides software more rapidly and securely to customers.
If the capitalization within the word itself didn’t inform you this is a compilation of three words, spoiler alert, it is. Let’s dive in.
DEVsecops
Dev represents “Development.”
This encompasses all the planning, building, and testing in software development.
Now, you might think this is fairly straightforward, but in the context of DevSecOps, you have to view this as only one part of a whole that needs to consider the other two parts of the term.
A portion of this should utilize IaC, Infrastructure as Code. Using tools like Bicep and Terraform, you can codify your infrastructure to ensure that any changes you make persist into the cloud environment you deploy to.
You can achieve any change you want through commit rather than manually entering a web console. This also allows for more repeatable and automated deployments.
devSECops
Sec meaning “Security.”
To make the development process adhere to this paradigm, address security _now_ rather than later.
It’s better to do this upfront rather than, for example, after you realize that the NPM package you’re using is spelled ever so slightly wrong and has been harvesting user data for months (this is levity, not something learned from experience.)
The development community has dubbed this practice “Shifting Left,” generally described as moving security and testing earlier in the software lifecycle.
devsecOPS
Ops stands for “Operations.”
Think of this as choosing tools and making decisions that allow for more scalable applications.
For example, we use Docker to adhere closer to the best practice of “Build Once Deploy Many,” making every environment run on the same code. Everything is set up to be platform agnostic.
This is possible thanks to the inclusion of a CI/CD pipeline (Continuous Integration/Continuous Deployment). The idea is to frequently make small changes, have them automatically tested, and then deploy them to the customer. This allows bugs to be found quicker, lessening the opportunity for large breaking issues on deployments.
Back to ‘Sec’ for a sec.
I’d be remiss not to acknowledge security in this step as I have in each prior step. Adding checks for each environment before it fully deploys adds that extra layer of security we’ve all come to know and love.
We should all strive for continuous deployment. By only allowing the pertinent parties permission to press play on the pipeline, you can ensure deployments that align with stakeholder expectations. It also provides peace of mind that only the right/authorized people are releasing your work into the world.
Why it Matters
Consider how much time and money you can save by dealing with security issues upfront. Let’s say, for example, you hear your head architect say, “We’ll just take those security items on as technical debt” at the beginning of a project...
Only to realize later, during an audit, that an entire API needs to be rewritten. While technical debt isn’t a bad thing, waiting until the last second to ensure that your processes are secure is.
By incorporating security measures throughout the development process, you can avoid making large architectural changes and get on your way to a SOC2 attestation.
Adding security to every step, from planning to writing, testing, and delivering code, guarantees that if your final product appears in the news, it’ll be with a ‘Look at this cool new platform’ headline rather than one like ‘CEO arrested for exploitation of user data.’
Levity aside, DevSecOps is important to all aspects of software development. Some might think it adds unnecessary overhead to an already complicated process, but I see it differently.
By implementing DevSecOps, you can evaluate the choices you make in the software development process daily. This allows you to identify areas where you can improve your operations and make your software the best version it can be…
And it definitely matters.
-
Chris Rogers
