‘‘DevOps is a term used to define a set of practices and tools that aim to shorten the software development life cycle by providing this agile relationship, giving organizations the ability to deliver applications and services quickly. DevSecOps is almost the same as DevOps but it includes security, aiming to enforce a mindset that integrates security in every step of the software development life cycle.’’

Technology has changed the speed of the world we live in to a much faster pace. Tech didn’t only change our lives but also its cycle of development. A process that could last months or even years, in the past, was reduced to weeks. Now, it is time to adapt the development life cycle to the agility and responsiveness it needs. To understand how DevSecOps fills this gap, we interview Burak Mavzer, our Cybersecurity Engineer.  

First, let us understand what is DevOps?  

Burak: DevOps stands for DEVelopment and IT OPerationS. Summarizing, it defines the type of agile relationship between the software development team and the IT operations team responsible for software deployment and maintenance. Even though I am not a software developer, I would like to explain what agile is. Agile is a software development term. It is used to define a collection of development methodologies based on iterative development, meaning that software requirements and the solutions used to achieve those requirements evolve through collaboration among different teams. DevOps is a term used to define a set of practices and tools that aim to shorten the software development life cycle by providing this agile relationship, giving organizations the ability to deliver applications and services quickly.  

What is DevSecOps?  

Burak: DevSecOps stands for DEVelopment SECurity OPerationS. It is almost the same as DevOps but better because it includes security, aiming to enforce a mindset that integrates security in every step of the software development life cycle, meaning that everyone, from Junior Developer to System Administrator, handles security. It is an excellent way of building a security culture inside the organization. In the past, in almost all cases, security was outsourced to an isolated team. However, when teams started to adopt the agile methodology and DevOps to quickly deliver applications and services, the updates and patches to fix some vulnerability or bug accumulated so fast that the isolated security teams could not cope. The integration of security to DevOps practices became inevitable to deliver better and more secure software products.   

What are the differences between DevOps and DevSecOps?  

Burak: There is not much of a difference between the implementation of DevOps and DevSecOps. The tools you use during DevOps implementation also have security features that you can enable. The main difference is in the mindset of teams. DevSecOps provides a way of ensuring that everybody is responsible for security. It creates a perspective within the organization, a culture around security that doesn’t seem scary or burdensome.

What are the benefits of implementing DevSecOps? What are the consequences of not using DevSecOps?  

Burak: Let’s start with few key benefits of implementing DevSecOps practices in your development efforts. First, it helps your organization to deliver fast and cost-effective software. The reason is, if you are not using DevSecOps practices, security issues can arise, causing massive, time-consuming, and costly delays to the organization. However, when you implement DevSecOps, you don’t need an extra review for security as it is already integrated, which saves you time. Implementing DevSecOps ensures that security vulnerability patches are rolled out quickly as vulnerability scanning and patching are integrated into the development routine cycle, which helps organizations save a lot of time and money. If these vulnerabilities are not fixed quickly, somebody can, and most likely will, take advantage, causing you problems, such as time and financial loss. And last, DevSecOps is a very adaptive and agile process. Therefore, it is very adaptable to the agile development process. A mature implementation of DevSecOps will adapt to the high-speed changing environment we see in today’s companies and technologies. These are the key benefits of implementing DevSecOps and some consequences you might face if you are not using it.  

How do you implement DevSecOps? What are the challenges you might face if you want to implement DevSecOps?  

Burak: First, you need to decide if it is the right way to go for your development experts. It depends on many factors your organization might have to consider, such as your resources and workforce. For all the organizations that are willing to dedicate the time and resources to implement DevSecOps for their teams, there are many technologies you can use, and in most cases, they do most of the work for you. I would recommend that your organization be prepared for threats by scanning and fixing security issues and conducting penetration tests whenever possible. You should also invest in cybersecurity awareness for your teams because most of the attacks we see today can be attributed to human error, such as neglecting security-related tasks or someone clicking on a suspicious link in an email. It could be a start of an attack, such as a phishing attempt. I would say again to invest in cybersecurity awareness training; this is one of the most important things. You should also run automated tests for security, software quality, validation, and dependencies checks, also fix the problems found on these checks as quickly as possible. 

As for challenges, I would say the biggest one would be establishing a security culture because security is mostly seen as a burden for some teams other than something critical for your development efforts. Often, it has been neglected because teams are trying to meet deadlines, or the administration is just pushing them. Give your staff and organization the flexibility and the encouragement to always be on the lookout for security issues.  

What was your role during the implementation of DevSecOps in one of VisionSpace’s projects?    

Burak: We are currently a small team of 5 people developing software to be used in cybersecurity, which adds an extra responsibility to implement best practices regarding security because of our field. We have a team that deals with all the implementation and all the tools that we use. My role as the company’s Cybersecurity Engineer is to advise on best practices for secure software development. I also provide occasional security awareness training for all staff and anyone willing to attend them. Our development teams currently use DevSecOps tools to ensure that the software products we, as VisionSpace, develop are secure.  

To get to know more about Burak Mavzer, visit his LinkedIn profile, or access his blog.  
 

Don’t forget to follow us on Linkedin, Twitter, or Facebook to get our updates.  

This article was written by Juliane Verissímo - Marketing Department of VisionSpace.