• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Securing DevOps: Defining DevOps and DevSecOps

 
Ranch Hand
Posts: 75
Mac Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm curious from Julian and the general audience:

What is your "definition" or "elevator pitch" for what is DevOps and what is DevSecOps?

Here is mine:


DevOps, and these days DevSecOps are word that are abused almost as much as Agile.  I was recently asked about the practice, and here is my elevator pitch:

DevSecOps ensures that applications and code are well planned out from a security and infrastructure perspective.  In helps to ensure that as systems are moved up the environment chain from development all the way to production not only is the code addressed, but  firewalls, network, and security concerns are handled often prior, but at least in concert with deployments to the upper environments.  This helps to ensure timely delivery of applications, software, and new functionality to allow the business to fully realize the potential of Agile Software Development.” - David Sachdev



“DevOps helps to reduce Time to value by bringing functionality to production at an accelerated pace” (Time to value (TtV) is a business term that describes the period of time between a request for a specific value and the initial delivery of the value requested. A value is a desirable business goal; it can be a quantifiable (tangible) or abstract (intangible)) https://whatis.techtarget.com/definition/time-to-value-TtV

“DevOps is a cultural change to how we do business”
 
author
Posts: 20
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the first chapter of the book, I define DevOps as follows:

DevOps is the process of continuously improving software products through rapid release cycles, global automation of integration and delivery pipelines and close collaboration between teams. The goal of DevOps is to shorten the time and reduce the cost of transforming an idea into a product that customers use.




DevSecOps then is all about integrating security into DevOps processes rather than bolting them on top, and provide a safety net that allows the organization to innovate and become successful while protecting its customers. In the book, I call this "continuous security" and break it down into three areas (quoting chapter 1 below):


1. Test Driven Security (TDS). The first step of a security program is to define, implement and test security controls. TDS covers simple controls like the standard configuration of a Linux server, or the security headers web applications must implement. A great deal of security can be obtained by consistently implementing basic controls, and relentlessly testing those controls for accuracy. In good DevOps, manual testing should be the exception, not the rule. Security testing should be handled the same way all applications tests are handled in the CI and CD pipelines, automatically, and all the time.

2. Monitoring and responding to attacks. It is the fate of online services that they will get broken into eventually. When incidents happen, organizations will turn to their security teams for help, and a team must be prepared to react. The second phase of continuous security is to monitor and respond to threats, and protect the services and data the organization relies on, through techniques like fraud and intrusion detection, digital forensics and incident response, with the goal to increase the organization’s preparedness to an incident.

3. Assessing risks and maturing security. A successful security strategy cannot succeed when solely focused on technical issues. The third phase of continuous security is to go beyond the technology and look at the organization's security posture from high altitude, via risk management and security testing, both internal and external, to help organizations refocus their security efforts, and invest their resources more efficiently.



This is as close to a definition of DevSecOps as I can get. One thing that is critically important is that you can't really do DevSecOps in an organization that doesn't first do DevOps. If your organization isn't there yet, this is where your efforts should start.
 
David Sachdev
Ranch Hand
Posts: 75
Mac Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator



2. Monitoring and responding to attacks. It is the fate of online services that they will get broken into eventually. When incidents happen, organizations will turn to their security teams for help, and a team must be prepared to react. The second phase of continuous security is to monitor and respond to threats, and protect the services and data the organization relies on, through techniques like fraud and intrusion detection, digital forensics and incident response, with the goal to increase the organization’s preparedness to an incident.



Having an Incident Response plan before the incident happens is very important.  You don't always want to just "cut off" the attacker - as you may want to silo them off and see what it is they plan on doing.  I think so many places don't think about the "responding to attacks" part of the equation very well.  
 
Julien Vehent
author
Posts: 20
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

 I think so many places don't think about the "responding to attacks" part of the equation very well.  



This is true, and working in a DevOps environment means using very different tools and techniques that one would use in a old-style infrastructure. (endpoint security on immutable servers? what about serverless forensics? etc.)

At the same time, a lot of proven techniques can and should be ported to modern environments, so the book goes over the important stuff and explains how to implement it.

There's also a little novel about a security incident in chapter 10. I had fun writing, I hope it's a good read
 
David Sachdev
Ranch Hand
Posts: 75
Mac Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Julien Vehent wrote:

 I think so many places don't think about the "responding to attacks" part of the equation very well.  



This is true, and working in a DevOps environment means using very different tools and techniques that one would use in a old-style infrastructure. (endpoint security on immutable servers? what about serverless forensics? etc.)

At the same time, a lot of proven techniques can and should be ported to modern environments, so the book goes over the important stuff and explains how to implement it.

There's also a little novel about a security incident in chapter 10. I had fun writing, I hope it's a good read



And in server-less computing - your attacker may be on the same host...just doing nefarious server-less computing.  I think over time this will be the way of the future, but depending on your data - you may want to watch and wait cautiously.  
 
    Bookmark Topic Watch Topic
  • New Topic