{"id":33654,"date":"2021-11-29T14:21:42","date_gmt":"2021-11-29T11:21:42","guid":{"rendered":"https:\/\/www.instinctools.com\/?p=33654"},"modified":"2025-04-01T17:28:45","modified_gmt":"2025-04-01T14:28:45","slug":"devsecops-integrating-security-into-devops","status":"publish","type":"post","link":"https:\/\/www.instinctools.com\/blog\/devsecops-integrating-security-into-devops\/","title":{"rendered":"DevSecOps: How to Integrate Security into DevOps"},"content":{"rendered":"\n

With data shaping the business landscape today more than ever before, security issues are at the forefront of everything a business does. Being ignorant about the risks of system vulnerability is detrimental no matter which industry you’re working in, but especially when you’re dealing with large amounts of consumer data. Financial, healthcare, and many other organizations are required to undergo obligatory security certification processes to prove they are compliant with all the necessary industry standards and regulations. <\/p>\n\n\n\n

However, security checks are often considered a bottleneck to deployment because they typically happen at the end of the delivery lifecycle or even after release. These checks are often manual; detecting issues means unplanned work for dev, test, and ops teams, causing delays and frustration.<\/p>\n\n\n\n

Fortunately, there\u2019s a way to make security cheaper and, at the same time, avoid time-consuming processes and hindering system development. The solution is DevSecOps. It aims to achieve a secure SDLC and a CI\/CD pipeline all the way through from start to finish by shifting security \u201cleft\u201d to the earliest stages of the project so that the reliability of your system is no longer an area of concern.<\/p>\n\n\n\n

DevSecOps vs DevOps: a fresh look at the security problem or the same thing with another name?<\/h2>\n\n\n\n

There are two opinions on the term DevSecOps and its place in DevOps<\/a>.The first one is that to include security in the software development lifecycle from the very beginning, we need an explicit call to action. Many people take the \u201cDevOps\u201d label too literally and think that it encompasses only development and operations. Hence, creating \u201cDevSecOps\u201d looks like a good opportunity to highlight the importance of the security role.  <\/p>\n\n\n\n

\n

Good symbols, labels, and stories change the world. The pithiness of \u201cDevOps\u201d drove mass adoption and actual improvement far more than the \u201cAgile System Administration\u201d movement that preceded it. DevSecOps is fine.<\/em><\/p>\n\u2014 Nigel Kersten, Field CTO, Puppet   <\/cite><\/blockquote>\n\n\n\n

The second view is that DevSecOps shouldn\u2019t exist as a separate label because security is an integral part of DevOps already. <\/p>\n\n\n\n

If we keep putting every responsibility people should do in the name, we\u2019ll run out of room for the hashtag. \u201cDevSecOps\u201d is dumb.<\/em> #DevSecITSMTestAutomation\u00ad\u00adMonitoringObservability\u00ad\u00ad\u00adPeopleFinanceMarketingQAOps<\/em>.<\/p> \u2014 Michael Stahnke, Director of Engineering, Puppet <\/cite><\/blockquote>\n\n\n\n

Sometimes the idea of shifting security to the left may go as far as contradicting SecDevOps vs. DevSecOps. Perhaps you\u2019re thinking: \u201cWhat?! Are you kidding me?\u201d No, we aren\u2019t actually. Anyway, let\u2019s not juggle the words and just agree with Bill, not Gates, but Shakespeare, \u201c…that which we call a rose by any other name would smell as sweet.\u201d The real issue to solve here is how to deal with the silos between security and DevOps teams? Because perhaps, only in a parallel universe could engineers and developers be okay with waiting for 48 hours while the security team runs their tests. So, then what are the middle ground solutions that DevSecOps practices can offer? <\/p>\n\n\n\n

Fighting against the deadly waterfall: why DevSecOps is a savior<\/h2>\n\n\n\n

With a traditional development method, such as the waterfall model, you usually can\u2019t go back to the previous steps to modify a project. Security testing is tucked at the end of the SDLC. <\/p>\n\n\n\n

But, what are the consequences of such an approach? Significant security problems are detected only at the last stage of software development. Fixing them is painful for the team, and costly for the business owners as it results in delayed delivery. To deal with this problem, the agile methodology was invented. It allows businesses to minimize risk when adding new functionalities. And with an iterative method, it\u2019s easier to be aware of security during the whole development process because you can go back to the previous stage and quickly fix a bug, monitor cost overruns, or change requirements earlier. With such an approach, you minimize the risk of a small mistake turning into a snowball that cripples the whole project, as it happened with SolarWinds<\/a>. The company reported that up to 18,000 of its clients installed insecure updates and became vulnerable to hackers. Considering SolarWinds has many high-profile customers, such as agencies in the US government and Fortune 500 companies, the situation was quite critical for the organization and incredibly beneficial for its competitors. <\/p>\n\n\n\n

Outcomes of integrating security into DevOps in the long term:<\/p>\n\n\n\n