DevSecOps is a set of principles aimed at integrating security concerns throughout the development and operations processes in IT development. Rather than introducing a specialist dedicated to security, it posits that security is the responsibility of every member of the development and operations teams, as well as closer interaction with security teams (Jeganathan, 2019). Thus, it calls for cultural and organizational changes where each developer understands the importance of security and the measures required to develop secure applications (Jeganathan, 2019). An individual developer plays a significant role in addressing security concerns by being aware of these concerns and integrating secure development practices throughout his or her development process. These practices can include secure coding, researching and mitigating exposed vulnerabilities, and collaborating with security specialists to perform code analysis and application security testing.
Under DevSecOps, security permeates the entire development life cycle: applications are initially designed with security in mind, and secure practices are followed from the creation of the code base. It is a continuous process where the software is tested for exposed vulnerabilities as it is developed and maintained (Jeganathan, 2019). Found vulnerabilities should be addressed before the software is released to a live environment (Jeganathan, 2019). This principle of integrating security concerns into established DevOps pipelines is the foundation of DevSecOps.
Plans for securing DevOps life cycles include strengthening the security of development process, creating secure code, and continuous security testing of the application. During the release and deployment phases, user and DevOps security becomes critical with well-implemented authentication and access controls, including multi-factor authentication (Jeganathan, 2019). Finally, automation, including automated security testing, plays a critical part of the deployment and operations phase, detecting critical vulnerabilities in new releases and rolling them back immediately if necessary (Jeganathan, 2019). DevSecOps does not provide specific steps, but rather general principles that should be adapted to individual organizations and projects. To this end, the security team should create specific policies and guidelines, while individual developers should be aware of and invested in the principles of IT security. This includes following secure development practices and noticing and bringing to the team’s attention any potential areas of improvements to the project’s security.
Reference
Jeganathan, S. (2019). DevSecOps: A systemic approach for secure software development. ISSA Journal, 17(11), 20-27.