The Inner Circle

 View Only
  • 1.  What is DevSecOps?

    Posted Mar 10, 2022 09:22:00 AM
    Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.

    Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?

    Thanks for your responses!

    ------------------------------
    Megan Theimer
    Content Coordinator
    Cloud Security Alliance
    ------------------------------


  • 2.  RE: What is DevSecOps?

    Posted Mar 11, 2022 07:56:00 AM

    In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology".  From my experience, "It is a way of doing things", building security into a developer cycle(s).

    Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual. 

    Here is a good outline of the high-level concepts involved in DevSecOps.
    https://github.com/6mile/DevSecOps-Playbook





    ------------------------------
    Michael Tayo
    Information Security Analyst
    Tempus Labs
    ------------------------------



  • 3.  RE: What is DevSecOps?

    Posted Mar 11, 2022 09:24:00 AM
    As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?

    ------------------------------
    Megan Theimer
    Content Coordinator
    Cloud Security Alliance
    ------------------------------



  • 4.  RE: What is DevSecOps?

    Posted Mar 14, 2022 08:27:00 AM
    Hi Megan.
    Conceptually it cannot be a security solution. I can't remember where I read it but there was an accurate motto that says "there is no one-size-fits-all solution for DevSecOps". The thing is that in my experience most of the customer has the opposite idea so empirically DevSecOps turns to be a solution.

    ------------------------------
    Alejandro Bernal
    Security Architect
    NTT Data
    ------------------------------



  • 5.  RE: What is DevSecOps?

    Posted Mar 14, 2022 09:20:00 AM
    We are practicing devsecops at some scale across disparate teams and, no, I would not qualify it as a "solution" so much as an engineering approach for a particular problem set (see below) and daily practice.  Like having a daily exercise routine is not a solution to anything per se; it is an enabler of better overall health and fitness but the exercise a marathon runner needs to do is very different than one that a power weight lifter needs to do.

    thus the more interesting part is the "problem" you are trying to solve.  If you are not practicing automated devops (more like "gitops") then devsecops probably is a mismatch or overkill.  you only start to understand the need for devsecops when you have conversations like:

    Sec analyst: "I need to capture a forensic snapshot of a container that triggered an alert 5 minutes ago - can I break glass ssh into it please?"
    DevOps engineer: "no - all ssh access to all containers is disabled by design, also all containers are ephemeral and avg lifespan is about 30 seconds, whatever container you are looking for is long gone"
    Sec analyst: "well can you install this utility so I can do monitoring on the next container deployment?"
    DevOps: "open a PR with the terraform code and add the change you want"
    Sec: "I don't know how to do that - can't you just temporarily add it manually as root or something?"
    DevOps: "no  - we have OPA rules that block any image deployments that have not been PR'd and approved on the protected branch by 2 separate approvers and have a Jira ticket linked with the Security Impact Analysis checklist (and SAST and DAST) PR checks completed, and the appropriate annotation added from the policy enforcement system; and root perms is disabled on all images by another OPA policy; also our custodian drift monitoring tool will auto sandbox any container instance deployed with root or non-whitelisted processes anyways, so it would not be allowed and that itself would be an alert and TTP for you to look at so you're in an infinite do loop at that point"
    Sec analyst: "so how do I see what the activity on that container was, or will be, and how to connect it to other TTPs from the VPC flow logs and log analytics data?"
    DevOps: "<shrug>"

    I like Michael's playbook - but - the real world looks more like a hyper-connected graph of activities that overlap, loop within loops, and branch off and rejoin.  Basically everything starts to interact with every other thing at every point in time!  while I get that you need a simplified view to start the journey, the result looks more like a Jackson Pollack painting :)

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------



  • 6.  RE: What is DevSecOps?

    Posted Mar 16, 2022 09:33:00 AM
    Agreed with others that it is not a solution but an approach/methodology. It cannot be a security solution as others say, it's inherently how we do secure-by-default for our DevOps and/or development practices. For us, an organisation, one of our biggest mandatory steps is to have all our DevOps tools and environments protected by our own zero trust technology so that we will ultimately have zero trust in all networks (internet, local, host OS) which massively restricts malicious activity (internal and external - e.g., no zero days or CVE exploit, DDoS, port scans, brute force) while giving our security team strong visibility and audibility.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 7.  RE: What is DevSecOps?

    Posted Mar 15, 2022 08:37:00 AM
    I really like the comment on "understand what problem DevSecOps is attempting to solve". A good starting point for organizations to realistically fit Security into their Dev Sprints is to Tokenize/Mask/Encrypt the data all the way through the stack. If they can come to their Sprint Huddles with regular updates on "is the data still secure" there is the "Sec" in DevSecOps. Implementing and tuning the monitoring/observability/detection of the environments... well that's a whole other beast of it's own.

    ------------------------------
    Eric Lloyd
    Account Manager
    Thales
    ------------------------------



  • 8.  RE: What is DevSecOps?

    Posted Mar 17, 2022 09:51:00 AM
    Based on my experience working with multiple teams , I personally feel DevSecOps takes different forms of understanding and implementation. When application security teams owns it, their priority is to integrate Security requirements, Threat modeling, SAST,SCA, Partial DAST and other possible security testing efforts at the earliest stages (Shift Left) of the SDLC . More specifically integrating within the pipeline. This helps to detect Vulnerabilities as early possible and help remediate during the development and reduce the time taken to remediate ,if the Vulnerability is detected at the tail stages of the SDLC.
    In case Operations teams owns , all operational task and its associated security activities (platform security, infra scans, risk/threat management , container security , penetration testing) are integrated into the pipe line . Both Dev and Operations will strive to automate their activities by introducing new generation tools and process, helping to reduce the time for a app/product to get released in a shorter time with all possible security controls integrated .
    From an organization perspective, it looks for an effective , semi-automated, seamless implementation of Security through out Development and Operations of SDLC .

    ------------------------------
    Sivakumar kathiresan
    Senior Product Security Architect
    Elekta
    ------------------------------



  • 9.  RE: What is DevSecOps?

    Posted Mar 18, 2022 08:53:00 AM
    Wow, thanks for all the responses, everyone! This is really helpful!

    ------------------------------
    Megan Theimer
    Content Coordinator
    Cloud Security Alliance
    ------------------------------



  • 10.  RE: What is DevSecOps?

    Posted 25 days ago
    DevSecOps is a term used to describe a new approach to software development that emphasises collaboration between developers and security professionals. The goal of DevSecOps is to speed up the software development process while ensuring that security concerns are addressed early and throughout the process.

    ------------------------------
    Rowan Sheridan
    it
    it
    ------------------------------