Needless to say, the DevOps movement evolved to enhance collaboration between development and operation teams and to overcome the continuous destructive tension; development strives to push changes to production fast, while operations focuses on production stability. By focusing on creating value to the customer, remove any activity that adds no value to the customer (waste)1 ,and ensuring a continuous flow of work starting from ideation till operation (the pipeline), DevOps was globally perceived as a undoubtable success story.
In parallel, Cybersecurity have been emerging rapidly to face the increased volume and complexity of cybersecurity attacks. It has dramatically grown to cover different areas including: Security Thread Modeling, Security requirements and Design, Security Scanning and Testing, Security Infrastructure, Security Monitoring and Protection. However, this introduced a considerable amount of activities and due diligence which affects organizations ability to keep a fast flow to production.
Fortunately, DevSecOps, interchangeably called Continuous Security, evolved as a practice to ensure the integration of both worlds and to ensure that continuation of the flow. DevSecOps ensures that security is an integral part of the application development life cycle. It looks for weaknesses and provide remediation actions as part of the deployment pipeline rather than waiting for the organization to fall victim to attacker, or at least waiting for security audit reports. In other words, DevSecOps strive to detect anomalies yet to be detected.
With time, DevSecOps experts came with their own set of values. DevSecOps values:
- Leaning in over Always Saying “No”
- Data & Security Science over Fear, Uncertainty and Doubt
- Open Contribution & Collaboration over Security-Only Requirements
- Consumable Security Services with APIs over Mandated Security Controls & Paperwork
- Business Driven Security Scores over Rubber Stamp Security
- Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
- 24×7 Proactive Security Monitoring overreacting after being Informed of an Incident
- Shared Threat Intelligence over Keeping Info to Ourselves
- Compliance Operations over Clipboards & Checklists
On the implementation side, DevSecOps is mainly achieved by embedding Security as Code by “Shifting left” with continuous security testing throughout the deployment pipeline. starting with code level scanning by the developer, followed by systematic security testing in all stages of the pipeline, and then supported by around-the-clock monitoring in production.
Fortunately, DevSecOps practices proved to be effective and practical and, with no doubts, contributed to replace continuous frustration with continuous security and deployment.
- Though lean thinking is core to DevOps movement, it is also supported by other theories and principles included the Constraints theory, System Thinking and ITSM
Ala' Yasin Abuhijleh 