Create an ArticleUser Guide

What is DevSecOps?

Jun 24, 2021

iCrowdMarketing powered by iCrowdNewswire

vs148/Shutterstock.com


We live in a strange technological epoch. We must understand how cybersecurity awareness in people is needed so much at a time when personal and organizational cyber-preparedness is also at an all-time low. Cybersecurity or in ‘layman’s terms, as it were, the digital defense of all systems and networks, has never been more required in the entire industry. Let alone the necessity for cybersecurity, the amount of cybercrime out there is preposterous. Cybercriminals are the digital version of criminals, who orchestrate and conduct crime solely in the digital space, or cyberspace. Most of us are familiar with the term ‘hackers’ -which is exactly what cybercriminals are. The crime that cybercriminals conduct is called a cyber attack in cybersecurity terminology. IBM has a very lengthy description of cyberattacks, of which we can mention the following excerpt for traction: “The May 2009 ISO/IEC 27000 publication described an attack on an information or computer network as an “attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of anything that has value to the organization.” Furthermore, “It’s not just computer networks and computer information systems that are being attacked. Cyber attacks are also infamous for attacking computer infrastructure and peoples’ personal computers. In addition to cybercrime, cyber attacks can also be associated with cyber warfare or cyberterrorism, particularly in instances when the attackers are state actors, groups or affiliated organizations.”


We can briefly talk about some of the most common types of cyber-attacks that are listed by IBM to give precedence to why solutions like DevSecOps exist, just a few of which include;




  • Denial-of-service (DoS)

  • Distributed-denial-of-service (DDoS) attacks

  • Transmission Control Protocol (TCP) synchronize (SYN) flooding or SYN attack

  • Teardrop attacks

  • Smurf attacks

  • Botnet attacks

  • PoD or ping-of-death attacks

  • Man-in-the-middle (MITM) attacks

  • Session hijacks

  • IP spoofing attacks

  • Brute force attacks

  • SQL injection attacks

  • Eavesdropping and network attacks

  • Malware infections

  • Trojan infections

  • RATs

  • Ransomware

  • Worms


What is DevSecOps?


According to IBM, DevSecOps is; “DevSecOps—short for development, security, and operations—automates the integration of security at every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery. DevSecOps represents a natural and necessary evolution in the way development organizations approach security. In the past, security was 'tacked on to software at the end of the development cycle (almost as an afterthought) by a separate security team and was tested by a separate quality assurance (QA) team.” In essence, DevOps is about a built-in security approach (a security strategy) that has emerged as a result of the increased sophistication and breadth of cybercrime. As far as the purpose and intent of what a DevSecOps system entails, “The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.” Traditional cybersecurity services are no longer sufficient as the classic perimeter-security model crumbles, “With business demand for DevOps, Agile and Public Cloud Services, traditional security processes have become a major roadblock targeted for elimination.” For these reasons, cybersecurity paradigm shifts such as DevSecOps have emerged, “So with the change of DevOps afoot, traditional security is no longer an option.  It is far too late in the cycle and too slow to be cooperative in the design and release of a system built by iteration.  However, with the introduction of DevSecOps, it's not necessary for risk reduction to be abandoned by either the business operators or security staff; instead, it should be embraced and made better by everyone within the organization and supported by those with the skills to contribute security value into the system.”



What is Cybersecurity?


Cybersecurity involves the protection of all the imaginable devices in a connected system or network from security issues and cybercrime. According to the National Institute of Standards and Technology (NIST), cybersecurity is defined as: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”



The Concept of DevSecOps And How It Fits Into The Future of Cybersecurity


DevOps (a more basic form of DevSecOps) is an extremely successful IT management approach. As far as the current iteration of DevOps, DevSecOps, combines Development, Security, and Operations as part of a single chain as well as emphasizing automation, shared responsibility, and collaboration. Putting security at the same level and pipeline of importance as Development and Operations in cybersecurity is what makes DevSecOps the cybersecurity solution for the future. According to Tech at GSA (sourced from Mckinsey&Company): “DevOps is a composition of enhanced “engineering” practices that reduce lead time and increase the frequency of delivery. The primary goal of DevOps is to ensure Operations team members are engaged and collaborating with Development from the very beginning of a project/product development. As Edureka! states, “Gartner believes that rather than being a market per se, DevOps is a philosophy, a cultural shift that merges operations with development and demands a linked toolchain of technologies to facilitate collaborative change.” It requires pushing past departmental lines for more effective planning, design, and release of projects/products.”


The problem is that, as automated delivery continues the bug fixing process does not get any simpler, or less problematic. Once again, according to the same article “To this end, there’s a growing movement, called DevSecOps, to incorporate Security into the coding process. Its primary focus is to ensure loopholes and weaknesses are exposed early on through monitoring and analytics so that remediation actions can be implemented efficiently.” With a whole gamut of DevOps technologies available as solutions today, traditional security is clearly out of the picture. Risk reduction is a huge priority, as is defense-first and built-in security from the ground up in cyber-preparedness plans. DevSecOps is also something other than just a technical approach, in that it is a mindset. DevSecOps is a mindset and security transformation, in that it teaches the industry that security must be added to development and operations by default. However, for DevSecOps to be applied correctly the Board of Directors and Executive management must be involved in every facet of the pipeline of this application. Finally, to point out the value system of DevSecOps, we can look at one more of NIST’sbreakdowns;




  • Reduction of vulnerabilities, malicious codes, security issues

  • Mitigation of the potential impacts of vulnerability exploitation in the app lifecycle

  • Addressing root vulnerabilities from the ground-up

  • Reduction of friction in security teams, operation, development


The NIST protocol principles;




  • Define DevSecOps concepts so that developers, security professionals, and operations personnel can all understand them

  • Select and document the key elements that organizations would need to build successful DevSecOps practices, from changing the organization’s culture to automating security practices into existing development pipelines and toolchains to support the concept of continuous authorization to operate (ATO)

  • Provide all organizations with a way to document their current DevSecOps practices and define their future target practices as part of their continuous improvement processes

  • Take an approach that would work for

    • organizations of all sizes and in any sector

    • development for information technology (IT), operational technology (OT), Internet of Things (IoT), etc.

    • development of software, services, firmware, and hardware



  • Ensure that organizations have flexibility and customizability with the recommended DevSecOps practices and that the practices do not cause any duplication of effort for organizations with established DevSecOps practices

Tags: English