DevSecOps is an easy term to toss around. But what does it mean, exactly? What actually goes into an effective DevSecOps strategy? And how do cloud and DevOps impact DevSecOps processes? To find out, I participated in a conversation with Merritt Baer, principal in the AWS Office of the CISO, to discuss the best ways to automate DevSecOps and how it can be optimized over time. In our conversation, we came up with some important takeaways regarding how DevSecOps works, how it helps manage vulnerabilities, and practical ways to put DevSecOps into practice.
What Does DevSecOps Mean?
At a high level, DevSecOps is easy enough to define. It’s an emerging approach which pairs Developers with Security Engineers so that they are more involved with one another in order to build automated security into existing processes. Ideally, DevSecOps would span from the earliest stages of development to actual runtime and would, after that, be a persistent practice.
So, it’s not a solution you can simply go out and buy, despite what some vendors might like you to believe. Instead, as we discuss, DevSecOps hinges on multiple components and disciplines including:
- Organizational: The way you adapt your organizational structure to fit DevSecOps. How do you ensure that engineers with security expertise work alongside the rest of your cloud DevOps team?
- Processes: The specific processes you use to ensure security across dev and ops.
- Architectural strategies: The way you build security into your software architectures.
To make DevSecOps work in practice, businesses need to bring these three elements together, ensuring they have the people, tools, and architecture necessary to integrate security into DevOps. By doing this, you’re integrating security deeply into the fabric of how an application is created and run from the start.
In our discussion, Merritt brought up the ability to shift security processes both “left” and “right” – in other words, to extend security into both the early and late stages of the CI/CD pipeline – is also critical in making DevSecOps work in practice. We also look into how automation is the only way to achieve this to scale.
DevSecOps Processes for the Cloud DevOps Era
A key factor that sets successful DevSecOps teams apart is recognizing that vulnerabilities are ultimately unavoidable. However, you can’t just shut your app down whenever a vulnerability is uncovered. In our conversation we chat about mitigation, remediation, and version updates, and the best approach to formulating the right list of the most important fixes.
Tactics like establishing security controls that limit the number of resources affected by an attack and quickly rolling back to previous releases of an insecure application helps limit the number of users impacted by a vulnerability.
Another technique is to avoid absolute gates, strict and inflexible policies or controls which can frustrate developers and stifle innovation – exactly the opposite of what organizations should be striving to achieve in a fast-moving cloud DevOps world.
Lessons on DevSecOps Process from AWS
As you might expect for an organization as large and dynamic as AWS, automation is key. Manual tasks are the bane of DevSecOps not just because they’re inefficient, but because they burn employees out. Furthermore, manual is pretty impossible to scale. Engineers don’t want to be doing stuff that computers can do. Instead, AWS seeks to automate as many security processes and controls as possible.
Part of their automation strategy involves turning every security issue into a ticket, which can be automatically acknowledged – and, in some cases, remediated – by software tools. This approach significantly reduces the physical work and mindlessness behind DevSecOps at AWS. To learn More About DevSecOps Mastery we invite you to visit our page about DevOps Security: Challenges on the Road to DevSecOps