Analysis of the advantages and challenges in the implementation of DevSecOps

DevSecOps integrates security into every stage of the DevOps pipeline, it unifies development activities, operational support, and security checks, and coordinates the teams involved in the software development life cycle (SDLC). Its automation facilitates collaboration between teams effect.

But DevSecOps is not a quick fix or a temporary solution, but a long-term implementation process that helps organizations achieve and maintain a secure SDLC. It requires development teams to follow a standard SDLC process to identify and resolve issues early in the process.

In the DevSecOps paradigm, developers maintain versions of their code and follow a peer review process before they can be moved to other environments. Having a separate team responsible for the development, testing, deployment, etc. won’t work because no one person or team has complete control over how updates are made in the code/environment.

The operations team supports the entire development process, including maintaining and updating the operating environment, defining and implementing deployment processes, and documenting every detail of the DevSecOps process. Security teams can identify and eliminate any vulnerabilities, and once the vulnerabilities reach production, the DevSecOps process makes it clear when and how to find them. In traditional coding, the process of deploying an application into production begins with changes to the code, but in DevSecOps, builds, tests, and security scans start early. They are complemented by other activities, such as design reviews and post-production Production monitoring.

Can DevSecOps be performed with one tool?

Many tools provide various combinations of types and services, but none of them can provide a DevSecOps process. Some vendors that offer static application security testing (SAST) tools are now adding software composition analysis tools (SCA), but DevSecOps is more than just performing scans.

It’s also important to note that no one tool fits all environments, and often no one tool fits all companies. In addition to application testing tools, DevSecOps processes require reporting tools, defect tracking/management tools, environment building tools, and more. Not only that but the security, build, and metric collection activities are not limited to the tools available in the market. Even scripts (Shell, PowerShell, Python, etc.) provide various functions.

How does DevSecOps help security teams?

In DevSecOps, any changes to code trigger activities such as SAST or Dynamic Application Security Testing (DAST) reviews, architecture reviews, etc., which in turn trigger scans, which generate corresponding metrics or reports. These activities can be completed in just minutes or even seconds, and security teams can further consider scaling up in this fast-response condition.

Security teams often lack resources, but they still have a responsibility to prevent bad actors from exploiting vulnerabilities. As development teams move toward a more diverse, multi-pronged agile approach, the DevSecOps process helps security teams share responsibility for building security into CI/CD workflows with everyone involved in the SDLC process. Introducing security testing earlier in the SDLC allows developers to address security issues in their code in real-time, avoiding costly delays.

What are the benefits of DevSecOps?

DevSecOps enables organizations to get many jobs done quickly, speeding up, reducing latency, and achieving its greatest advantages in scalability. Because organizational teams are spread across many different regions, organizations need processes and frameworks that facilitate collaboration while reducing dependencies to help teams achieve their goals.

Often, different teams work in separate silos, and these fragmented environments make it difficult to ensure consistency while still giving each team the independence their processes require. If teams can’t change their entire development process, how can they align on goals?

DevSecOps can solve these problems, no matter how mature or fragmented the security level of an organization, DevSecOps can initiate and implement security activities and adapt to different functional teams.

“Security is not the responsibility of one person, it’s everyone’s responsibility.” DevSecOps engages everyone in the process and practices of ensuring security. Developers, application managers, operations teams, security teams, reviewers, and testers can all play an important role.

What are the pillars of DevSecOps?

Acceleration:

A fast-paced world requires fast-paced solutions, and DevSecOps eliminates manual steps and dependencies so the entire process can be completed faster.

The power of acceleration in DevSecOps, for example, is seen in the case of a company that received a request to scan 30 microservices two days before production. By leveraging automation, the team can complete this request within two hours. Consider this: Secure 30 new microservices on two tools, run scans, evaluate them, and triage the scan results, all in under two hours.

It usually takes less than a week to pass through the entire SDLC, so there is very little time to deal with the security process. As a result, many security tools today have improved the speed at which they run, and many provide the ability to customize scans, so organizations can choose which checks to run, further optimizing the required scanning practices.

Scalability:

One of the reasons DevSecOps is so popular is: It allows security teams to scale within limited bandwidth. Even with a limited security team, the automation inherent in DevSecOps is critical to a company’s ability to support many applications. For example, a team of four was tasked with conducting a SAST review, but since it was done manually, it could only support 200 applications. However, through automation and security integrations, the team was able to scale up to 700+ applications and provide support for each of them in a matter of months.

Flexibility:

Organizations may want to transition from one tool to another, sometimes involving 1000s or more applications, does that sound possible? In DevSecOps, jobs are run through a common library of scripts, and because these scripts are shared across all jobs, organizations can easily transition from one tool to another. Updating a common set of instructions with new tasks or replacing existing tasks makes it easy to propagate changes across all applications without having to make changes in every job.

Traceability

In DevSecOps, processes are interconnected and automated, so it’s easy to see if changes are causing problems. This level of traceability makes it easier for people to take responsibility for issues. It also encourages developers to be more careful when writing secure code to prevent pipeline breaks, and projects can also be set up to send emails to the entire development team at specific milestones, such as when work is done, the right team meets or doesn’t meet security Require. When a scan is triggered, the email can specify who checked in or created the changes that triggered the scan.

How can organizations take advantage of automation?

Automation can be used to trigger builds, scans, deployments, assessments, and approvals. When these tasks are automated, security teams can focus on other important activities. For example, if an organization has 700 applications, it will be difficult for a four-person security team to manually monitor regular releases, but leveraging automation can greatly reduce the workload.

As mentioned earlier, organizations often have teams spread across several different time zones. Security teams don’t have the budget and bandwidth to support all these time zones, but DevSecOps can help by providing portals through which developers can run on-demand scans of local tools. DevSecOps can also help by implementing standardization that makes the process clear and understandable for everyone. Standardization also makes it easier to scale the process and make updates and additions as needed.

What are the challenges to implementing DevSecOps?

Every organization must prioritize its activities, and DevSecOps may not be a top priority for every organization. In some cases, organizations may not be able to integrate security into their DevOps processes because they rely on changes to certain environments and scripts. Or, due to other priorities, the team may not have the capacity to make these changes.

Teams often support legacy applications because they have no plans to transition them at all. Some security tools cannot be easily or automatically integrated with other tools. For example: until recently there was no CI plugin for Burp, so integrating Burp scanning into the automation process was not easy.

Another problem with legacy applications is that they are critical to functionality, but since they were written so long ago, no one can or wants to make changes. It doesn’t make sense to allocate resources to automate such applications. However, security teams still have to scan these apps regularly (especially when updating how they test). Therefore, they need to adapt to a standardized testing process.

How can an organization start DevSecOps?

Implementing DevSecOps requires patience and tenacity, and any DevSecOps implementation will take at least a year. There will be a lot of planning and design involved before you start setting up the solution. Organizations must first identify gaps in current processes and then identify the tools needed to support the implemented processes. Organizations will need to coordinate with various teams to gain buy-in and instruct them to implement the required changes, which can take a significant amount of time.

Making changes to a process affects all people involved in the process and all applications following the process. If all applications are scanned using a common set of libraries, any change in these libraries will affect all applications unless specific conditions are set.

Adding new applications to this process can take a long time. Enabling .Net applications usually takes more time because they have to be built correctly. Visual Studio tends to hide many build errors and provide dependencies at runtime. This is not the case for MSBuild. If the application team uses Visual Studio to build the application and check in the application, the automated process using the MSBuild command line may fail for several reasons; wrong directory structure, missing dependencies, incorrect dependencies, etc.) interrupt.

Sometimes the CI tool itself is not up to the job, and organizations often use Jenkins to start their CI process. However, the number of bugs in Jenkins and its plugins can be staggering and could lead to messy workarounds. And many plugins on Jenkins are not maintained and supported. Of course, that’s not to say it’s bad, it’s still very useful, and it’s worth noting that while there are other CI tools on the market, they also have limitations.

Also, tools don’t always have the maturity to do all the required functionality. Every tool has its limitations, especially when it comes to automation. For example, Jenkins may not allow conditional parameterization, and there may be plugins that provide a workaround, but no actual requirement.

Of course, the biggest challenge any security team has to deal with is false positives. Without properly customizing security tools, organizations can receive a high number of false positives. Organizations need to be vigilant in customizing tools for the application, language, technology, or framework used to narrow the results.

Despite the many challenges of implementing DevSecOps, there are many advantages. Most importantly, it can help address the ever-increasing shortage of resources in security teams, and DevSecOps allows teams to work more efficiently and adapt to new and expanding environments.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store