DevSecOps : The Big Picture — Part 1

DevSecOps Life Cycle

After months of posting about DevSecOps on LinkedIn, I decided to start sharing more details about DevSecOps area using articles instead of posts.

In this article we will discover together the world of DevSecOps.

Table of Contents

1. What is DevSecOps ?
2. What are DevSecOps Stages ?
3. What Skills needed for DevSecOps Journey ?
4. Will DevSecOps replace Penetration Testing ?
5. Some DevSecOps Certifications

What is DevSecOps ?

As organizations continue to digitize their operations and move towards cloud-based infrastructure, the need for secure and reliable systems has never been more pressing. Enter DevSecOps — an approach to software development that seamlessly integrates security practices throughout the entire lifecycle of a project. By aligning development, security, and operations teams, DevSecOps aims to identify and address potential vulnerabilities early on, before they become costly and time-consuming issues. It also helps to create systems that are not only secure, but also easy to operate, monitor and maintain. This is particularly critical in today’s landscape, as cyber threats continue to evolve and become more sophisticated.

What are DevSecOps Stages ?

DevSecOps is a methodology that emphasizes the integration of security practices throughout the entire software development process. It involves a series of stages that are designed to identify and address potential vulnerabilities and security risks early on, before they become costly and difficult to fix.

The stages of a DevSecOps pipeline typically include the following:

1. Planning: This is the initial stage of the DevSecOps pipeline, where the team defines the goals, objectives, and requirements for the project. The team should also identify the potential security risks and vulnerabilities that the project may encounter.
2. Development: In this stage, the team builds the software, with security considerations integrated throughout the process. This can include using secure coding practices, automated testing, and code review.
3. Testing: This stage includes automated and manual testing to ensure that the system is free of bugs and vulnerabilities. Security testing, including penetration testing, can be integrated into this stage to identify potential vulnerabilities.
4. Deployment: This stage involves the release of the software to a production environment. It should be done in a secure and controlled manner, with the necessary security measures in place to ensure that the system remains secure after deployment.
5. Monitoring and maintenance: After deployment, the team should continuously monitor the system to ensure that it remains secure and is performing as expected. This stage also includes the process of patching and upgrading the system to address any new vulnerabilities that are discovered.

It is worth mentioning that these stages are not necessarily linear and sometimes they may be done parallelly or differently based on the specific organization’s requirements, team and technology. Some organizations also add more stages like Compliance, Risk Management, and Incident Management.

What Skills needed for DevSecOps Journey ?

DevSecOps is a cross-disciplinary field that requires a combination of skills from multiple areas, including software development, security, and operations. Some of the key skills that are commonly sought after in DevSecOps profiles include:

1. Development experience: DevSecOps professionals need to have a strong understanding of software development principles, including experience with one or more programming languages, as well as knowledge of development methodologies such as Agile and Scrum.
2. Security knowledge: Security is at the core of DevSecOps, so a deep understanding of security principles and technologies is crucial. This can include knowledge of security best practices, penetration testing, threat modeling, and incident response.
3. Operations experience: DevSecOps professionals should have a good understanding of how systems are deployed, configured, and managed in production environments. This includes experience with cloud technologies, containerization, and infrastructure as code.
4. Automation and scripting: Automation is key to DevSecOps, as it helps teams to move faster and more efficiently. DevSecOps professionals should be proficient in one or more scripting languages, such as Python or JavaScript, and be familiar with tools such as Ansible, Puppet, and Terraform.
5. Collaboration and communication: DevSecOps teams often involve multiple stakeholders from different departments and skill sets, so strong collaboration and communication skills are essential. This includes the ability to work effectively with both technical and non-technical stakeholders and the ability to translate complex technical concepts into layman’s terms.
6. Continuous Integration/Continuous Deployment (CI/CD): Understanding of CI/CD pipeline and how to design it securely, and knowledge of tools like Jenkins, Travis, CircleCI, etc.
7. Compliance: Understanding of common compliance frameworks (e.g. PCI-DSS, HIPAA, SOC 2) and how to build compliant systems.

Note that it is difficult to find individuals who have all of these skills in one person but having a team that has a balance of the above-mentioned skill set is ideal.

Will DevSecOps replace Penetration Testing ?

Penetration testing is an important tool for identifying vulnerabilities in a system and helps in finding real-world attack scenarios, but it is typically done after a system has been developed and deployed. DevSecOps, on the other hand, is a proactive approach that integrates security considerations throughout the entire development process, allowing teams to identify and address issues before they become a problem.

While both penetration testing and DevSecOps are important tools for ensuring the security of software systems, they complement each other and should not be viewed as a replacement for one another. A good security strategy will often use both penetration testing and DevSecOps to ensure that a system is as secure as possible.

Some DevSecOps Certifications

There are a number of certifications available that can help individuals and organizations demonstrate their knowledge and expertise in the field of DevSecOps. Here are a few examples:

1. Certified DevSecOps Professional (CDP): This certification focus on learning DevSecOps practically. It teachs you all what you need to become a DevSecOps Specialist.
2. GIAC DevOps Security Professional (DevSecOps): This certification is designed for professionals who want to demonstrate their knowledge of securing DevOps environments, including continuous integration, continuous deployment, and infrastructure as code.
3. Certified Kubernetes Security Specialist (CKS): This certification is designed for professionals who want to demonstrate their knowledge of securing Kubernetes environments, including container security and network security.
4. SANS Institute’s DevSecOps Essentials: This is a set of online training and certification course that aim to provide an overview of the key concepts, methods, and tools of the DevSecOps approach.
5. Certified Cloud Security Professional (CCSP): This certification is designed for professionals who want to demonstrate their knowledge of security in cloud computing environments, including best practices for securing data, applications, and infrastructure in the cloud.
6. ISC² CSSLP -Certified Secure Software Lifecycle Professional: is designed for professionals involved in the software development, designed to bridge the gap between development and security.

These are just a few examples, and there are many other certifications available that focus on different aspects of DevSecOps. When choosing a certification, it’s important to consider which areas of DevSecOps you want to focus on, and select a certification that aligns with your career goals and interests. Also money ;) !!

Conclusion

In the next part, We will focus on DevSecOps stages.

We will explain every stage in details and introduce some tools used by DevSecOps profiles.