We are practicing devsecops at some scale across disparate teams and, no, I would not qualify it as a "solution" so much as an engineering approach for a particular problem set (see below) and daily practice. Like having a daily exercise routine is not a solution to anything per se; it is an enabler of better overall health and fitness but the exercise a marathon runner needs to do is very different than one that a power weight lifter needs to do.
thus the more interesting part is the "problem" you are trying to solve. If you are not practicing automated devops (more like "gitops") then devsecops probably is a mismatch or overkill. you only start to understand the need for devsecops when you have conversations like:
Sec analyst: "I need to capture a forensic snapshot of a container that triggered an alert 5 minutes ago - can I break glass ssh into it please?"
DevOps engineer: "no - all ssh access to all containers is disabled by design, also all containers are ephemeral and avg lifespan is about 30 seconds, whatever container you are looking for is long gone"
Sec analyst: "well can you install this utility so I can do monitoring on the next container deployment?"
DevOps: "open a PR with the terraform code and add the change you want"
Sec: "I don't know how to do that - can't you just temporarily add it manually as root or something?"
DevOps: "no - we have OPA rules that block any image deployments that have not been PR'd and approved on the protected branch by 2 separate approvers and have a Jira ticket linked with the Security Impact Analysis checklist (and SAST and DAST) PR checks completed, and the appropriate annotation added from the policy enforcement system; and root perms is disabled on all images by another OPA policy; also our custodian drift monitoring tool will auto sandbox any container instance deployed with root or non-whitelisted processes anyways, so it would not be allowed and that itself would be an alert and TTP for you to look at so you're in an infinite do loop at that point"
Sec analyst: "so how do I see what the activity on that container was, or will be, and how to connect it to other TTPs from the VPC flow logs and log analytics data?"
DevOps: "<shrug>"
I like Michael's playbook - but - the real world looks more like a hyper-connected graph of activities that overlap, loop within loops, and branch off and rejoin. Basically everything starts to interact with every other thing at every point in time! while I get that you need a simplified view to start the journey, the result looks more like a Jackson Pollack painting :)
------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------
Original Message:
Sent: Mar 11, 2022 09:24:06 AM
From: Megan Theimer
Subject: What is DevSecOps?
As a methodology that is attempting to solve a problem, could DevSecOps also be defined as a 'security solution'?
------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
Original Message:
Sent: Mar 11, 2022 07:55:39 AM
From: Michael Tayo
Subject: What is DevSecOps?
In my opinion, I'd describe DevSecOps ultimately as a "practice", or "methodology". From my experience, "It is a way of doing things", building security into a developer cycle(s).
Before trying to come up with a definition, it is important to understand what problem "DevSecOps" is attempting to solve and then base a definition on what it means to the organization or individual.
Here is a good outline of the high-level concepts involved in DevSecOps.
https://github.com/6mile/DevSecOps-Playbook
------------------------------
Michael Tayo
Information Security Analyst
Tempus Labs
Original Message:
Sent: Mar 09, 2022 03:05:34 PM
From: Megan Theimer
Subject: What is DevSecOps?
Everyone seems to have their own slightly different definition of DevSecOps and what's required for for an approach to be considered 'DevSecOps.' Throw in other terms like 'SecDevOps' and 'DevOpsSec' and things get really confusing.
Of course, we can refer to the CSA understanding of DevSecOps, but I was wondering what your personal definition of DevSecOps is, based on your own experience with the method?
Thanks for your responses!
------------------------------
Megan Theimer
Content Coordinator
Cloud Security Alliance
------------------------------