Principles of SecDevOps
DevOps is a methodology first introduced in 2007 and focuses on collaboration between development and operations teams to streamline software delivery. DevSecOps later came into the picture around the 2010 timeframe and extends this approach by integrating security practices into the DevOps workflow.
DevOps addresses security concerns later in the development cycle, whereas DevSecOps integrates security throughout the process.
But what is SecDevOps? This is the topic of this post.
What is SecDevOps?
In essence, both DevSecOps and SecDevOps include the same principles in their methodology, specifically the integration of:
- Development
- Security
- Operations
What is the difference between SecDevOps and DevSecOps?
SecDevOps integrates security into the DevOps process, ensuring that security is a primary consideration throughout the software development lifecycle.
DevSecOps focuses on embedding security practices into the DevOps process, fostering collaboration between development and operations teams to seamlessly integrate security. It builds upon existing DevOps methodologies by incorporating security as part of the process.
SecDevOps, on the other hand, takes a slightly different approach by prioritizing security above other factors. It positions security as the guiding principle, shaping development and operational processes from the very beginning.
What are the benefits of SecDevOps?
The primary key benefits to recognize are:
- Limits security breaches: Wherein security is thought through and incorporated in the beginning of the development lifecycle, a true shift-left of where security is implemented.
- Improves application quality: In a continuation of the previous bullet point, security is a forethought, not an afterthought.
- All other benefits of DevOps.
What are some examples of implementing SecDevOps?
Here is a list of approaches that can be considered in contributing to a SecDevOps culture:
- Integrate Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) in the CI/CD pipeline, but early in the Agile development process.
- Define security policies for developers, such as: secure coding practices and vulnerability reporting.
- Incorporate version control tools and practices.
- Conduct regular security training, focusing on secure coding practices, threat modeling, and how to use security testing tools effectively. Ongoing training and awareness is needed.
- Leverage Software Composition Analysis (SCA) to analyze open-source components and libraries used within an application for known vulnerabilities. They can be incorporated into the CI/CD pipeline.
- Automate as much as possible.
How about Security-as-Code (SaC)?
In the basic sense, SaC is referred to by some by just being another modern way of saying DAST and SAST security testing (link).
In a true sense, it's more of treating every security measure as a code artifact (link).
References: