Aprico consultant logo

From DevSecOps to SecDevOps: for even better, integrated security

Integration, integration, integration. From now on, IT and business teams need to be aligned, meaning they need to work closely together. That is the true cost of agility. If the DevSecOps concept was to design integrated security, why not choose security that is not only integrated in both operations and development, but that is at the very foundation of any initiative?

As we mentioned in a previous blog post, security can no longer be considered as a stand-alone responsibility, entrusted to a specific team, even ultra-specialized, at the end of the design process. In fact, security has become a shared responsibility and is integrated end-to-end throughout the entire development cycle. Hence the concept of DevSecOps: designed to integrate application and infrastructure security early in the process and to automate the workflow between the different stakeholders as much as possible. It is clear that the agility that is necessary for the digital transformation of a company requires a closer collaboration between specialists in networks, security, infrastructure, storage and development, far away from the silos that are still all too present at a lot of organizations.

Security first
In a DevSecOps approach, the security team is responsible for testing the product before it goes into production. Any flaws that are found, are fed back to the development team, allowing it to take a closer look and solve the problems. In this scenario, security specialists are often perceived as ‘troublemakers’ and as a cost center, as they may delay the deployment of a product. Because security is an extremely complex matter, security experts tend to be only in contact with each other. They often are reluctant to communicate outside of their department, as they feel the inevitable mistrust that is surrounding the security team. Because after all, their tools are extremely sophisticated and thus inaccessible to other IT profiles. In other words, it comes as no surprise that ‘Sec’ often follows behind ‘Dev’ and comes before ‘Ops’.

Sure, the rise of technologies and concepts such as cloud, containers and micro-services, as well as agile development and mixed teams with business and IT profiles, should pave the way towards truly integrated DevSecOps. But the reality is often quite different.

In fact, security checks, guidelines, coding standards and policies need to be fully integrated into the software development process. To achieve this goal, security needs to be considered as an integral part of the process: ‘Sec’ comes first, then ‘Dev’, then ‘Ops’. That approach allows the security team – if necessary in collaboration with an architect or senior developer – to define the policies at the very beginning of the project. These policies may include secure coding standards, rules to avoid unsafe encryption and APIs, instructions for the use of static or dynamic analysis, testing guidelines, and so on. The goal is to make sure that developers produce secure code for their everyday tasks and to automate operations as much as possible.

From theory to practice
It seems inevitable that this type of security – designed from the onset – puts additional constraints on developers. But the integrated and incremental SecDevOps approach allows for tracking vulnerabilities more effectively, compared to the traditional security audit at the end of the development process.

Of course, security is often still seen as an add-on or a simple control process before going live with an application. And yes, sometimes it is difficult to correct errors while the product is still under development. But it is important to see security as a step in the developer’s daily workflow. It must be integrated into the software development process.

To successfully complete a SecDevOps approach, three elements have to be combined. First of all, the processes. It is important to formalize the development and deployment processes within a framework of strictly defined responsibilities. Secondly, the tools. They must be shared by all stakeholders and be part of a continuous integration platform. And finally, the people. Development, security and production teams must share common goals. Do not neglect the cultural differences between the IT profiles of the teams and make sure that the general management backs the project and ensures regular monitoring, ideally based on specific metrics.

Aprico helps companies innovate and rethink their business processes by putting security at the center of their strategic thinking. We share best practices, technologies and organizational models that allow organizations to open up to the outside world and share information securely. More information: marketing@aprico-consult.com