In the digital age, securing your development projects against malicious hackers can be quite the challenge. And when you take security and try to scale security to an enterprise, the challenge seems insurmountable. Evident by the frequent hacking incidents we see come through the news.
Enter DevSecOps. DevSecOps is a methodology that interweaves the aspects of DevOps and standard security practices. It attempts to prevent vulnerabilities that can occur at every step of the development process, and so, has become increasingly popular in recent times.
That's why we had a chat with Chris Carlson, Vice President of Product Management at Qualys, a cloud security provider, to learn more about how and why enterprises should consider updating their previous development methodologies to DevSecOps.
ADM: What is DevSecOps and why is it important?Chris:
DevSecOps is the combined methodology in which cyber and application security aspects are integrated into the DevOps process of developing software, testing, building, and deploying into production environments. The more seamless, transparent, automated, agile, and quick that security aspects including tools, people, processes, policies, reporting, and actionable output can be integrated into the DevOps methodology
, higher adoption is realized and benefits gained for the organization. Ultimately, the result is about deploying more secure applications into production, delivering fewer vulnerabilities for potential compromise, and the ability to quickly fix security issues before they can be compromised.
Chris Carlson, Vice President of
Product Management, Qualys
ADM: Is DevSecOps new and how does it apply to software development?Chris:
DevSecOps is not new to leading organizations and industries that realize the value of secure applications and environments to their organization and customers, having started with early adopter companies in industries such as financial services, technology, e-commerce, and cloud computing providers. More and more industries and organizations within those first industries are adopting DevSecOps methodologies
. Some implementations start out grassroots, bottom up, one project at a time. Other implementations have executive management support from the top who drive DevSecOps deep and wide across the organization. There has always been a goal to have secure software development starting with Secure Software Development Life Cycle - but as many modern applications take advantage of open source applications, libraries, components, and operating systems that are not developed by the organization implementing, it’s even more important to bring in commercial tools that are designed to assess, evaluate, and track the vulnerability and compliance posture of third-party software within the organization’s applications.
ADM: Will adding in security slow down the development, testing and release cycles?Chris:
If done right, the answer is no. Any new use of a tool or process that doesn’t seamlessly and transparently integrate into the existing processes will slow them down. Successful DevSecOps
projects are able to bring security into the DevOps processes without slowing them down. Consider a food manufacturing production line where frozen entrees are produced at 100 entrees per minute - if each entrée had to be removed from the assembly line for manual inspection for food safety issues such as metal particles in the food, this would dramatically impact the pace of the production line - instead, the manufacturer installs an automated, high-speed metal detector that can detect, alert, and discard any frozen entrée that has detected metal particles at the speed of the production line. This is the ultimate example of bringing security - in this case food safety - to a manufacturing line. The same approaches work for integrating cyber security transparently, seamlessly, and automated into the DevOps manufacturing process of software development, testing, and release cycles.
ADM: How can I implement DevSecOps and what benefits would I gain?Chris:
The first step is to assess how you currently use Time, Techniques, and Tools in your DevOps processes and how can you shift your approach to each. Shift Time such that you’re able to do new and different (better!) things earlier in the software development lifecycle such as finding and fixing the use of vulnerable third-party software before your application is released into production. Shift Techniques by automatically failing software check-ins or deploy scripts if your application contains vulnerable components. This will ensure that vulnerable applications don’t make it into production in the first place. Shift Tools such that the same tools you use to find vulnerable applications in production can be utilized in the development and test cycles
of the DevOps processes - you get the benefit of the same tools and same knowledge in how to use them without incurring additional cost by procuring point-solutions that only work in one step of the DevOps process. All in all, DevSecOps delivers reduced cost, reduced development churn, and reduced application attack surface, which delivers higher security and higher confidence to the organization.
About Chris Carlson
Chris Carlson is a Vice President of Product Management at Qualys, where he is in charge of the product definition, roadmap and strategy for the Cloud Agent Platform. During his 20+ year career in the infosec industry, Carlson has attained expertise in multiple areas, ranging from firewalls, VPNs and intrusion prevention systems to real-time event-processing, security analytics and next-generation endpoint platforms. Prior to joining Qualys, he held security architecture roles at UBS and at Booz Allen Hamilton, and product management positions at venture-funded startups and at other vendors, including Hexis Cyber Solutions, Agent Logic, Informatica and Trustwave.