The Five Core Components Of DevOps And How Security Fits In – Digitalmunition




Featured Security-8.png

Published on March 22nd, 2021 📆 | 7487 Views ⚑

0

The Five Core Components Of DevOps And How Security Fits In

DevOps is a set of tools and best practices utilized by organizations to deliver software applications projects faster than traditional software development methodologies. This allows organizations to enhance customer service and increase their competitive advantages in the market.

In a nutshell, DevOps is about removing the borders between different teams involved in a software development project, namely the development and operation team, and about making them work together across the entire development lifecycle beginning with development and ending with deployment. This collaboration avoids wasting time waiting for the development team to finish to start the testing and deployment phases.

This article will shed light on the DevOps model’s main components and see how security fit into each phase. However, before we begin, it is useful to differentiate DevOps from DevSecOps.

DevOps Security vs DevSecOps

DevOps security (widely known as DevSecOps) is the practice of securing the entire DevOps development life cycle through processes, tools, technologies and best practices. DevSecOps ensures security is integrated into each phase of the DevOps life cycle from inception and ending with testing and deployment.

Traditional software development lifecycle methodologies work to discover and fix security holes within a system once it’s been designed and tested. Even with the DevOps model, however, security testing is done too late. This approach is not appropriate for designing modern IT systems in speed. Thus, DevSecOps was introduced.

In DevSecOps, security is implemented in all development phases. Security engineers work closely with the DevOps different teams to recognize security gaps and solve them quickly. Security testing is conducted for each iteration without affecting the agreed delivery dates. In doing so, DevSecOps helps to mitigate security vulnerabilities before they pose a threat and cause a data breach.    

DevOps components

According to StackRox, the premise of DevOps relies on five core components:

An Agile frameworkBuild-once, run-anywhere developmentEverything-as-codeAutomationCommunication and Collaboration

An Agile Framework 

Agile is a well-known approach for project management and software projects; it was initially developed to speed up the development process by dividing IT projects into small chunks or increments. Project requirements are reviewed during the entire project lifecycle to respond to any change quickly.

While DevSecOps does use many of the same development principles as agile, such as the continuous integration and delivery of software systems (CI/CD) in iterations, they differ in how they handle security. For instance, the heart of DevSecOps is to integrate security into all project iterations, while the sole aim of the agile model is to deliver software projects quickly while leaving security to be added later after the product is finished.

Build-once, run-anywhere development

DevOps utilizes container technology which changed the Software Development Life Cycle (SDLC) methodologies radically. There is a semi-mutual agreement in the DevOps community to avoid wasting time in developing testing environments for specific platforms. For example, DevOps developers use container technology to write code, build, run and test without caring about the operational resources (e.g., operating system, shared libraries and frameworks). This leaves adequate time for the operations team to focus more on testing and security.

Everything-as-code

Incorporating security into code is a significant progress in developing software projects. To create secure applications, security should be built into DevOps tools and workflows. This could be achieved by implementing security policies and adding checks and tests to the code without introducing extra costs or delays during the actual code-writing process.

Automation

According to a BSIMM report, automation plays an integral role in the successful integration of security into the DevOps model. For instance, by automating manual processes and building tools (e.g., GitLab, Jenkins for CI and Docker for container integration within toolchains) into (CI/CD) pipelines, the development and operations team can work closely together and function as a single team, thereby increasing their ability to respond to security team enquires.

Automation can enhance the task of implementing security during a project’s development by speeding up the feedback loop.  Automation will speed up the design process, as all discovered security problems – including compliance issues – will get discovered and resolved quickly as the project progress.

Communication and Collaboration

Having a clear and direct communication channel during the development process is necessary for the successful completion of projects.

In DevSecOps, three teams are responsible for delivering the final product: the development, operations, and security teams. Each team may consider its work to outperform the rest. The development and operation teams always focus on delivering project iteration on time while seeing the security team’s work slowing their work.

The top management’s responsibility is to close the communication and collaboration gap. They can do this by encouraging all teams – especially the ones comprising the DevOps teams – to understand the importance of security teamwork in delivering secure products that do not lead to security problems after release.

Summary

DevOps has changed how development and operations are done today. DevOps tools and practices can be used to incorporate security into the DevOps philosophy without sacrificing speed or increasing development costs. DevOps and DevSecOps allow organizations to build scalable systems that incorporate security into their development life cycle, adhere to various compliance regulations and deliver the best secure product possible.
Nihad A. HassanNihad A. Hassan is an independent information security consultant, digital forensics and cybersecurity expert, online blogger, and book author. He has been actively conducting research on different areas of information security for more than a decade and has developed numerous cybersecurity education courses and technical guides. He has completed several technical security consulting engagements involving security architectures, penetration testing, computer crime investigation, and cyber open source intelligence (OSINT). Nihad has authored six books and scores of information security articles for various global publications. He also enjoys being involved in security training, education, and motivation. His current work focuses on digital forensics, antiforensics techniques, digital privacy, and cyber OSINT. He covers different information security topics and related matters on his security blog at www.DarknessGate.com and recently launched a dedicated site for open source intelligence resources at www.OSINT.link. Nihad has a bachelor of science honors degree in computer science from the University of Greenwich in the United Kingdom. Nihad can be followed on Twitter (@DarknessGate), and you can connect to him via LinkedIn at https://www.linkedin.com/in/darknessgate.Nihad A. Hassan Web Site

originally appeared on Source link

Tagged with:



Leave a Reply