Layers & extent of product security function and integrating security in rapid deployment cycle
Ever since the field of software development has existed, the security of the product being developed has been considered as an afterthought. In fact, in most software products, security controls were implemented only when a vulnerability was either discovered and demonstrated or was being exploited in the wild. Traditionally, the prevalent software development models, such as waterfall, prototyping, spiral development, etc., did not include security requirements at any stage. Even developers used to shy away from implementing security controls in their applications as they perceived security to be a hindrance to their creativity. However, the growing number of cyber-attacks demonstrated the repercussions of considering security an afterthought, and compelled vendors to integrate security considerations during the product development phase itself.
In 2008, Andrew Clay Shafer and Patrick Debois, explained the concept of DevOps while discussing Agile Infrastructure at the Agile 2008 conference. DevOps refers to a set of practices that emphasize the collaboration between development and operations team. The intent behind this collaboration is to establish a culture and environment where building, testing, and releasing a software can happen rapidly, frequently, and more reliably. DevOps has boosted the adoption of rapid software development models such as Rapid Application Development and Agile. A recent trend has been to include a third element, information security, in DevOps. This has created a new set of practices, known as DevSecOps.
The primary aim of DevSecOps is to make security everyone’s responsibility. Not only the information security team is involved at each stage of software development, developers too, work in a security conscious manner. They are trained in practices such as vulnerability identification, code analysis, secure coding, etc. Ultimately, integrating security in the design of the application. Scanning automation, real-time code analysis and target scanning are few key characteristics of DevSecOps.
Following a DevSecOps strategy towards software product development, enables organizations to balance security, functionality and go to market times. It allows organizations to be more customer-oriented and implement customer requested features in their applications faster than their competitors. Scalability of security is another advantage facilitated by following a DevSecOps strategy. In DevSecOps, information security no longer acts as a gate keeper.
Implementing DevSecOps in an organization requires a cultural change. It cannot happen instantly. The personnel responsible for development and operations have to be trained in security practices. The security team needs to be apprised of workings of development and operations team. The traditional approach of working in silos does not work any longer. It involves implementing automated sources to scan source code, integrating security tools into common platforms and ultimately empowering everyone in the organization to recognize that security is their responsibility.
The fusion of agile development, operations and security engineering as a holistic methodology for software security engineering practices can help to address the security challenges and develop robust and secure applications. Companies providing cloud-based services, IoT devices, etc. are leveraging DevSecOps strategy to build quality products that meet customer expectations and are released faster than was possible using traditional approaches.
9th DSCI Best Practices Meet features an intense workshop on DevSecOps discussing it at large. Join us to inculcate security-by-design in your products. Grab your passes now! https://www.dsci.in/BPM2017/