DevSecOps Overview

What is DevSecOps?

DevSecOps is a variation of DevOps that injects security evaluations into all stages of software development and operations. This approach to building and supporting software promotes collaboration among the different teams that create, secure, and maintain applications. With DevSecOps, security concerns are consistently assessed and addressed as applications are created, deployed, and updated. This idea is illustrated in the image below.

What Problems Does DevSecOps Solve?

The idea of DevSecOps arose in response to the problems that some organizations were seeing in their initial implementation of DevOps practices. Organizations originally adopted DevOps, which emphasizes ongoing collaboration between development and operations teams, as a strategy to speed up their software-development cycles and improve product quality.

But a key limitation of early DevOps efforts was that they often did not prioritize security as a concern, a mindset that was a continuation of a pre-DevOps approach. In these first days of DevOps, application security was usually still evaluated—as it had always been—only at the end of the initial development process. Just before deployment, a separate security specialist or team of specialists was brought in to “secure the software,” almost as an afterthought.

1. Problems with leaving security to the end

DevOps teams who evaluated application security only after development soon discovered that this process design was inherently flawed. First, when teams did discover security weaknesses they wanted to fix, doing so typically required reworking more code than would have been necessary had the vulnerabilities been discovered earlier. But worse yet, within this framework, budgetary and deadline pressures naturally induced teams to consider security in a superficial or cursory manner. And with only a single security check before deployment, application vulnerabilities were more likely to go undiscovered, leaving customers or the organization itself open to threats.

2. Problems in a new security landscape

These built-in challenges of addressing security vulnerabilities late in the process were also compounded by changes in the surrounding security landscape. To begin with, security threats grew more prevalent and sophisticated. But software environments also became more complex and, as a result, created a larger attack surface for these growing threats. For example, since the 2000s, organizations began moving applications from on-site data centers to public, hybrid, and multi-cloud environments. On top of this cloud migration, development teams started embracing a growing number of coding languages and open-source libraries drawn from various sources. All these changes served to increase the number of attack vectors for malware, making the traditional “security as afterthought” approach riskier than ever.

Additionally, regulations such as the General Data Protection Regulation (GDPR) in Europe or Health Insurance Portability and Accountability Act (HIPAA) in the United States brought renewed and increased emphasis on safeguarding data—along with specific requirements for compliance.

Overall, this new security context led organizations to realize that they needed to prioritize application security in every stage of the development process, in coordination with DevOps practices.

How Does DevSecOps Solve These Problems?

DevSecOps offers organizations a stronger approach to address modern security challenges in software development. DevSecOps helps teams create more secure software essentially by “shifting security left,” or by incorporating the first security checks early and continuing them all throughout the development lifecycle. With DevSecOps, security optimally is evaluated during the planning stage and then again in every subsequent phase, including coding, deployment, and post-release operations (continuous monitoring and updating). This merging of security checks into existing Dev and Ops workflows is achieved through a combination of automation and more fundamental cultural changes.

Automation in DevSecOps

Automation is an important tool that helps teams meet the goals of DevSecOps, with continuous integration/continuous delivery (CI/CD) playing a particularly key role. Through CI/CD, teams can configure various jobs to run automatically in predefined pipelines (sequences) when code is submitted to an application repository such as Github, GitLab, or Bitbucket. The DevSecOps approach normally includes automated security tests in these CI/CD pipelines, which ensures that each code update undergoes some degree of security screening. These automated security tests each perform different types of scans, and they can be created manually by the DevSecOps team or obtained through third-party sources.

The following are some examples of the types of automated security tests that teams can add to their CI/CD pipelines:

1. Static application security testing (SAST) tools scan source code or binaries before the application runs. These types of tests attempt to identify code-level vulnerabilities to various security threats, such as buffer overflows, SQL injection, and cross-site scripting (XSS).
2. Software composition analysis (SCA) tools scan for instances of open-source code and components that were used in development. SCA tools then review the open-source code for potential licensing issues or known vulnerabilities.
3. Interactive application security testing (IAST) tools are useful for analyzing the behavior of web applications. IAST relies on code instrumentation to monitor an application in its running state and to detect vulnerabilities in real time.
4. Dynamic application security testing (DAST) tools also test applications as they are running, but from the outside perspective of an attacker. DAST essentially simulates known attack methods such as cross-site scripting (XSS) and SQL injection to determine whether a running application is susceptible to them.

Note that these types of security tests aren’t necessarily automated, and teams can perform them outside of CI/CD pipelines as well as inside them. However, teams that embrace a DevSecOps methodology to develop and maintain their software can use CI/CD pipelines to automate these tests and approach their larger security goals. Through automation, teams can improve application security by implementing mandatory checks throughout the software lifecycle—including early in that lifecycle, when problems are often easier and cheaper to fix.

DevSecOps Culture

DevSecOps, to achieve its goals, ultimately requires a fundamental cultural shift. It requires Dev and Ops teams to open the door to security experts and include them in communications and meetings as applications are designed, created, and updated. By embracing security expertise in an ongoing way, organizations can operate collaboratively with a unified culture and mindset that places security on equal footing with development and operations.

What Are The Benefits of DevSecOps?

By integrating security all throughout the software development process, DevSecOps can provide the following benefits:

1. More secure software development. Teams that incorporate frequent security evaluations into their development workflows reduce the risk of seeing vulnerabilities make it to production.
2. Continuous security testing and monitoring. In the DevSecOps methodology, application security is constantly tested and monitored as the software is created, operated, and updated. This ongoing evaluation allows security issues to be identified and resolved more quickly not only when software is being developed, but also after it is deployed.
3. Improved collaboration and communication. DevSecOps brings together development, security, and operations teams, improving collaboration and communication among these teams and promoting better problem-solving and overall effectiveness.
4. Better visibility and control. Through its built-in security evaluations, DevSecOps gives teams better visibility into an application’s security strengths and weaknesses, which in turn helps them better calculate security risks.
5. Compliance. By integrating security into the development process, DevSecOps can help organizations meet regulatory compliance requirements and reduce the risk of non-compliance penalties.

What are the challenges of adopting DevSecOps?

DevSecOps is as much a cultural solution as a technological one. It can’t be imposed purely from a management perspective, especially in environments with a strong history of siloed teams. Companies that are new to DevSecOps need to change their view of security testing from that of a discrete stage to something integral to the entire development process. Each individual contributor needs to develop a security mindset and be amenable to open communication, including constructive criticism and suggestions. This transition can be difficult and time-consuming for teams that are resistant to change.

Additionally, existing teams might not have the skills needed to implement the required changes for DevSecOps. For example, suppose an organization wants security experts to regularly review code at various milestones during application development. If an organization does not yet have these security experts on staff, it will need to commit significant resources to train existing developers or recruit the needed specialists.

Monitoring Tools and DevSecOps

Organizations that embrace DevSecOps practices require tools that ensure visibility into security throughout all stages of software development and delivery. In particular, a unified platform that consolidates and integrates security data alongside other performance data can establish a single source of truth for teams to work together to detect and address system vulnerabilities.

Datadog offers a unified platform for DevSecOps, breaking down silos between DevOps and Security teams to enable collaboration and strengthen security via a centralized view of all relevant data. For more information about Datadog Security products and features, see Datadog Security.