DevSecOps Pillar 1: Automation
DevSecOps promotes end-to-end automation, where traditional development lifecycle activities are delegated to an automated workflow for greater efficiency. Continuous integration and continuous delivery, or CI/CD, accelerates the time it takes to successfully integrate and validate code from weeks to minutes. When developers check in code changes, automated scripts trigger a scheduled or user-initiated build-test sequence. The code is then pulled automatically into a managed environment that builds the application and runs a series of tests to confirm the new code successfully integrates into the master code branch and functions as intended. By incorporating CI/CD, development teams release code more frequently, detect defects earlier, and shorten the overall development cycle. Most importantly, a mature CI/CD process produces a codebase that is always deployable and production ready. Automation also applies to post-production activities; teams can leverage tools to automate application recovery and scale infrastructure to meet performance demand.
DevSecOps Pillar 2: Continuous Quality & Continuous Security
DevSecOps helps organizations embed security and quality deep in the heart of their development and deployment processes. Development teams can identify and address code issues earlier, not only by automating test processes via CI/CD, but also by checking for security and quality issues early in the lifecycle, as code is checked into source control. In DevSecOps, everyone is responsible for both elements. For example, developers can implement pull requests to conduct rapid, web-based peer reviews of code prior to integration. Security teams can also automate quality scans and static code analysis to detect code inefficiencies or vulnerabilities and immediately alert developers for remediation. Similarly, operations teams leverage server and application monitoring tools to identify issues in post-production and minimize risk. By using a variety of quality mechanisms, development teams collectively evaluate code quality and security at every step of the development lifecycle without sacrificing delivery frequency.
DevSecOps Pillar 3: Infrastructure Management
DevSecOps champions the use of infrastructure as code, or IaC, to automatically build and manage environments in the same way one would automate software development tasks. In today’s IT landscape, where almost all of our platforms (on-prem and cloud) are hosted on virtual machines, IaC enables developers to write standardized scripts to automatically provision infrastructure according to customer security standards in a consistent, repeatable, and scalable manner. In other words, IaC allows your team to quickly spin up secure development, test, and staging environments with a single push of a button, then spin them back down again when they’re not in use, thereby reducing dependencies, increasing cost savings, and accelerating time to deployment. IaC also supports continuous quality by enabling teams to track server configuration changes for efficient infrastructure-related troubleshooting and increased auditability. In this way, DevSecOps not only enables your development teams to automatically integrate quality and security into software, but also into its underlying infrastructure.
DevSecOps Pillar 4: Collaborative Culture
DevSecOps ultimately extends far beyond process automation, integrated security, and quality. As the name suggests, DevSecOps breaks down silos between development, security, and operations teams, effectively giving each team equal responsibility for ensuring the security and quality of the product delivered. In fact, the very foundation of DevSecOps success in any organization is dependent on the adoption of a collaborative culture to efficiently achieve a common goal. For example, while automated toolchains allow developers to identify quality and security issues much earlier, it also requires them to communicate with each other and across other teams more frequently. The culture of DevSecOps runs counter to the traditional image of the solitary developer working for weeks on software before they are “ready” to deliver it. Instead, DevSecOps fosters a culture of joint problem-solving, collective responsibility, and frequent communication throughout the development lifecycle.
While even one of these capabilities would yield significant benefits, these four pillars together form a strong base for a successful DevSecOps practice. From this foundation, development teams can begin to deliver higher quality software products while drastically reducing overall operational risk and increasing return on investment. However, in order to maximize the value of the methodology, organizations must move up the maturity curve and continually build upon this foundation.
Moving Up the Maturity Curve
With a strong DevSecOps foundation in place, organizations can begin to move up the maturity curve, incrementally building on and improving their practice to maximize value. The journey is an incremental and community-driven undertaking. Organizations must devote a great deal of time and effort to not only establish new automated processes and tools, but also educate their teams on a variety of security practices that they were likely not responsible for in their siloed job role. Moreover, the journey along the maturity curve does not follow a strict, one-size-fits-all roadmap. Your organization may need to experiment with various combinations of tools, processes, and communications before finding the right mix that meets your unique needs. In order to advance along the maturity curve and truly reap all the benefits that DevSecOps has to offer, organizations must continually monitor and measure the effectiveness of their DevSecOps practice to demonstrate success and identify opportunities to improve or innovate.