Friday 27 January 2017

DevSecOps Putting Security at the Heart of DevOps

DevSecOps RSA Conference 2017 in San Francisco and DevSecCon in Singapore will both take place in February, and point to the trend toward merging DevOps and security, a combination called DevSecOps.

DevSecOps - the combination of DevOps and Security (or SecOps) - is a new trend making its presence known across the internet, industry and conferences.  With DevSecOps RSA Conference 2017 in San Francisco and DevSecCon in Singapore coming up in February 2017 we take a closer look at this new trend.

DevSecOps puts security squarely in the middle of DevOps.  No longer treating security as an afterthought, or as a one time review in a traditional or waterfall project context.  So what is DevSecOps?  

DevSecOps.org says that “The mindset established by DevSecOps lends itself to a cooperative system whereby business operators are supplied with tools and processes that help with security decision making along with security staff that enable use and tuning for these tools.”  

The DevSecOps Manifesto defines:

  • Leaning in over always saying “no”
  • Data & security science over fear, uncertainty and doubt
  • Open contribution & collaboration over security-only requirements
  • Consumable security services with APIs over mandated security controls & paperwork
  • Business driven security scores over rubber stamp security
  • Red & blue team exploit testing over relying on scans & theoretical vulnerabilities
  • 24x7 proactive security monitoring over reacting after being informed of an incident
  • Shared threat intelligence over keeping info to ourselves
  • Compliance operations over clipboards & checklists

Shannon Lietz of DevSecOps.org also offers five foundational principles of DevSecOps:

  1. Customer focused mindset
  2. Scale, scale, scale
  3. Objective criteria
  4. Proactive hunting
  5. Continuous detection and response

Are practitioners and voices across the internet and social media supportive of DevSecOps?  Here are some of the opinions about DevSecOps:

According to TripWire.com contributor Tim Prendergast security professionals are now becoming viewed more as peers than simply approvers at the end of a project.  This is giving security professionals a seat at the table so that security can be more proactively addressed by teams.

CSOOnline looks at the variations of DevSecOps found in the wild - SecDevOps, DevOpsSec.  Jamie Tischart of CSOOnline likes the SecDevOps variation better as it “puts security first”.  CSOOnline has this to say about DevSecOps:

“The last one is DevSecOps. Literally, you can expand this to completing development, then reviewing and automating for security, and then deploying and operating. This articulation hopes to catch the security concerns before they are deployed to the world but are not as incorporated into the overall process as SecDevOps. Certainly DevSecOps has the benefit of focusing on security before introducing a vulnerability to the the wild, but it is not security-focused in every activity.”

TechBeacon also speaks to the many names which apply with the addition of names like rugged DevOps.  Chris Romeo in his TechBeacon article speaks of a perceived need for a standard name.

“This gives us a hint as to the disconnect that exists within security in DevOps. It’s still the wild west. There is no standard that defines security for DevOps, and the chances of a standard ever developing is small because different organizations are doing things their own way, and can’t even agree on a standard name. And while there is a standard for the secure development lifecycle (ISO/IEC 27034-1), few organizations are ever validated against it .”
In his Sonatype blog Derek Weeks posits that there is strong evidence that DevSecOps has picked up significant momentum in 2016.  Derek points to the November 2016 Gartner release of its report on DevSecOps.  Gartner’s inclusion of DevSecOps indicates that the trend is becoming mainstream, as Gartner’s focus is on mainstream technology topics and not early adoption topics.

Other voices in the conversation on DevSecOps range from private sector, to the open source Community with many conferences.  In the private sector HP notes that the inclusion of security into DevOps is a hot topic.  HP notes that the different terminology indicates that security is an addition to DevOps rather than an integral part of it (at least in the current state).

In the open source community there are multiple meetups on DevSecOps including one in Singapore and another in the US in San Diego.  The Singapore meetup description indicates that:
“DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it.”

The DevSecOps Dojo is another location on the Web for updates on what is happening in the world of DevSecOps including article updates and a DevSecOps Twitter feed.

A range of several recent (and upcoming) conferences also show how pervasive DevSecOps has become.  DevSecOps RSA Conference 2017 has support from DevSecOps.com, Sonatype, and RSA Conference. A previous DevSecCon recently took place in London, and will be held for the first time in Asia in February.  DevSecOps was also a featured topic at the recent 2016 IT Expo London.