This week, I have a contributing guest author, Patrick McLaughlin, who is a SaaS Security Architect as part of the Oracle SaaS Cloud Security engineering group, which is helping drive the transformation of DevSecOps.
DevOps aims to bring software development and maintenance closer to IT operations. It is designed to deliver new software features, enhancements to existing features, and bug fixes faster than traditional methods and with the same quality. DevOps combines software development processes and their deployment into production systems in continuous iterations using much smaller chunks than traditional software development lifecycles. Continuous Integration – Continuous Delivery/Deployment (CI–CD) is a common implementation of DevOps.
CI is a practice of continually and regularly integrating new code into the main build (perhaps every two weeks or even daily) and testing the new functionality to make sure it doesn’t break existing functionality. At the end of the day, the service must always be working in the live production environment. DevOps can be used to develop systems that are targeted to different software architectures -micro-services, serverless, function-oriented, or a combination.
DevSecOps integrates security into the DevOps lifecycle. It automates, monitors, and applies security into the software development process and into the operational deployment of software onto production systems. In the same way as identifying and fixing a bug early in the software development process reduces the cost of fixing it later, it’s cheaper to incorporate good security practices as early as possible into the DevOps lifecycle.
The DevOps objective of having more frequent releases than traditional development means that traditional approaches to security and compliance must adapt to this faster, agile world.
The principles behind traditional security and compliance remain relevant in a DevOps environment, but they need adjustment to fit within an effective DevSecOps model.
DevSecOps holds the promise of strengthened security in agile software development and delivery practices, allowing security vulnerability fixes and mitigations to be incorporated into the more frequent release cycles. This should result in faster repairs for insecure design and coding defects and third-party vulnerabilities, thus reducing the time window during which the attack surface is more exposed to hackers.
This benefit must be weighed against the risk of introducing security vulnerabilities or failing to consider fundamental security principles in coding of new features by going too fast. So, DevSecOps seems to be saying that we should go as fast as possible, but no faster, which reminds me of the saying that I grew up with – more haste, less speed.
However, DevSecOps does not say how to incorporate good security architecture practices into the system being developed (for example, how to leverage a common Identity and Access management, which cryptographic libraries to use, how to do key management, how to encrypt sensitive data-at-rest or in-motion, how to secure APIs, and security event logging).
At Oracle, we have been successfully using Corporate Security Solution Assurance Process (CSSAP and Oracle Software Security Assurance (OSSAfor many years (before and since cloud’s emergence). These practices ensure proper security architecture and development practices from design stages to deployment.
In addition, in SaaS Cloud Security (my organization), we leverage the controls found within NIST CSF Cyber Security Framework, CIS top 20 security controls and ISO 2700X Information Security Management, predominantly for post-deployment security management topics such as: logging/security information and event management (SIEM), detection and incident response, risk management, and intrusion detection.
In future articles I will discuss key aspects of these three cyber-security (management) frameworks in relation to DevSecOps. I would very much welcome the views of the readers of this blog on these articles as no one has a monopoly on wisdom in this space!