The CISO guide to DevSecOps tactics and tools

How to embed sustainable security tools and tactics in your organization

Download white paper

What is the difference between DevOps and DevSecOps?

Because DevOps cultivates more efficient collaboration among development and operations teams, adopting the practices moves an organization toward rapid software development. Without DevOps, teams operate in silos, neglect mutual communication, and avoid participating in full ownership of the entire software development life cycle. Thoughtful professionals understand that such inefficiencies only hinder team morale and place limitations on business opportunities and potential value creation. These are the primary drivers for the rise of DevOps as a mature practice.

DevOps has become both a mindset and a methodology that eliminates barriers between development and operations. A modern development team to build, test, and deploy software faster—at higher levels of quality—without a minimum of manual intervention. DevOps helps unify developers, QA testers, system admins, support staff, and end users in sharing significant responsibility for the final product.

Conventionally, development (Dev) and deployment operations (Ops) have been at the core of the software development life cycle. However, security is becoming critically important as the multitude of threats increase, and severe breaches come at a high price to many companies. Enter DevSecOps.

Realizing the need for security integration

In the past, security testing was done at the end of the development cycle, with QA executing penetration tests and configuration checks just prior to a release. A security team tested a new version of the application or some infrastructure changes to ensure the app was secure and compliant. Development and operations delivered changes in bulk—with minimal documentation.

If a team has established DevOps practices, it is likely that the security team won’t be able to maintain the rapid pace of a highly efficient DevOps team that deploys several releases a day. In such cases, security testing becomes a major bottleneck. Management will either accept this wasteful bottleneck or take the riskier path of dedicating less effort to security testing. Consequently, many teams have turned to DevSecOps.

DevSecOps integrates infrastructure and application security into DevOps processes and tools. The team manages security issues as they emerge—when it’s easier, faster, and less costly to fix. Additionally, DevSecOps cultivates a mindset where the development, security, and IT operations teams share the responsibility for security. The collective aim is to build “software, safer, sooner,” which is the DevSecOps motto. Delivery teams, customers, stakeholders all stand to substantially benefit from rapid, highly automated delivery of high-security software.

This paper presents an overview of implementing DevSecOps with tactical guidelines and tooling suggestions to embed the practices effectively in your organization.

Continue to:How to implement DevSecOps