Overview of Topics covered
Common fully automated DevOps workflow
Challenge: Security audits as bottlenecks in the DevOps pipeline
What are common security issues in application release pipeline
Solution: DevSecOps - Shifting Security Left
Automating security in DevOps
Summary of why DevSecOps is an important element of DevOps
[Part of full DevSecOps certification program - DevSecOps bootcamp]
Understand what is DevSecOps in 8 minutes 🤓
To understand what DevSecOps is, let's look at a common DevOps workflow, where things are streamlined, everything is automated and fast 👏
Developers check in the code and an application CI/CD pipeline starts. The changes are tested with automated tests, a new version is built and deployed to the test environment, where more automated tests will run.
If all the automated tests pass, a green light is given to the new version to be deployed ✅
So this super optimized and automated DevOps pipeline makes application delivery fast without manual effort. Great and the new version of the application is ready to be released in production. Well, not really? 🤔
CHALLENGE without DevSecOps
Because what about security? If your application is an online banking app or a social media platform that millions of people use or e-shop with credit card information and other sensitive data, you want to make sure there are no security holes in your application. Because getting hacked and leaking sensitive data may be detrimental to your business.
So before deploying it to production via CI/CD pipeline, the security team must test the new version for any vulnerabilities and security issues:
What if the developers used a new library that has some vulnerabilities
What if it has some special licensing requirements
What if passwords are exposed
What if the container image has security vulnerability?
What if the K8s components for the application are misconfigured?
And of course these could all be things that developers themselves aren't even aware of 🤷🏻♂️
So the security team will run tests and analyze the code changes and look for any security issues in the application. And this may take hours or days, or if you have a complex application maybe weeks ⏰ ⚠️
The security team may find 1000s of vulnerabilities and issues and send them to developers to fix in that new version. However, in the meantime, because of the efficient DevOps cycle a couple new versions have been created, which are all waiting in the queue for the security audit.
So you see the problem here:
You have this super optimized DevOps process, with fully automated CI/CD pipeline, that you built and are proud of, but right before the release the security checks and audit block the whole process, delaying the release for weeks:
Now why does security audit take so long? 🤦♀️
To understand why it's a bottleneck in the process, think about how applications have evolved over the last years:
We have micro services now, instead of 1 monolith application, and they expose APIs to communicate, which means much more attack surface
We have tons of services which micro services, like databases, message brokers, service mesh application etc.
These all run in containers, which is yet another layer where security issues may arise.
And all these may run on a cloud platform maybe on a K8s cluster
So you see that you have many layers of infrastructure and application and components which need securing.
And the security teams need to also learn and understand all these platforms and technologies to be able to identify issues.
Another problem is that, because many security tools that security professionals use and are experienced in, were developed way before K8s or micro services. So they need to now find or create tools for working with this modern application setup.
And all that of course complicates the job of security professionals and creates the bottleneck in the application delivery process slowing down the DevOps cycle 🐌
That's why learning DevSecOps is such an important skillset of security engineers and DevOps engineers 💪
You can actually become a Certified DevSecOps engineer in just 4 months part-time study here 🎯
SOLUTION with DevSecOps concept
So how to fix the problem and solve the bottleneck?
By integrating security in the DevOps workflow, or in other words, shifting security to the left:
So instead of thinking about security after a new feature is developed, right before releasing, and solving them in chunks, start thinking about security right at the beginning and solve it right away as soon as they appear.
How would that work in practice? And how can security be infused in this DevOps process, instead of being a separate step here? So what is meant by DevSecOps exactly? 🤔
1)
Well first of all, security becomes a developer responsibility too, instead of just being a responsibility of dedicated professionals.
2)
And the security team itself becomes more of a facilitator and advisor to developers and operations teams, helping them understand and manage security rather than being like an external police that blocks the development speed.
So the security team will create security policies.
3)
Then they'll select proper automation tools for detecting security issues, like doing security scans, code quality checks, automated security tests of the application etc.
4)
And they will train and teach developers and operations team how to interpret the output of these tools, so that they can identify and fix the issues themselves.
Resource: [Computer Security Resource Center, DevSecOps project: https://csrc.nist.gov/projects/devsecops]
5)
The Developers or DevOps engineers will then integrate these DevSecOps tools in their CI/CD pipeline. And on every commit push to a feature branch or main branch, these tools will run, and they will get automated output on their application security status and what issues and vulnerabilities need to be fixed.
If there are no security issues, the pipeline will deploy and release the application.
So the manual work of security engineers will be automated and integrated into the application delivery pipeline making the release process much faster 🏎️
Apart from the speed itself, also note that, having security later in the process increases the risk of security issues sliding into the production and fixing security issues in Production is much more expensive.
On the other hand, fixing them in the feature branch is much more efficient, because of the short feedback cycle. Right after commit and push, the developer knows the security issue they caused and can fix it faster, without a context switch.
Resource: [Official DevSecOps manifesto: https://www.devsecops.org/]
So overall, this makes the process fast again by reducing the feedback cycle on any security issues, by infusing the security checks throughout the pipeline, instead of having it as a big task right before the release.
I hope I could make it clear for you what DevSecOps is and why companies and projects are adopting it 💡
And if you want to become a confident Senior Engineer that is irreplaceable for companies, this DevSecOps certification program will absolutely skyrocket your career 🚀 The extensive DevSecOps projects mirror actual real-life implementations with best practices, so you can easily implement them at work 😎
Is your company adopting DevSecOps?
YES
NO
Share the article on LinkedIn with your engineering network 😍👇