In the first half of 2021, there has been a triple-digit increase in cyberattacks volume compared to the previous year (Source: Accenture).
Breaches often occur as a result of very well-structured attacks, such as the one that targeted Microsoft Exchange servers. In many other cases, however, the lighter attacks occur because companies don’t pay enough attention to security. This was the case, for example, for the data breach that involved the vaccination data of the Italian Lazio Region on 30 July 2021.
DevSecOps offers an answer to the growing security needs. Let’s see how.
Understanding DevSecOps: the development context
Occasionally, we hear about cyberattacks: the attacks often go unnoticed by the general public, but they always occur and are constantly growing. The correct software development should put this issue at the top of priorities.
From the creation of a service to the design of a complex software architecture, security must be one of the main focus elements.
The DevOps development methodology – particularly widespread today because of its benefits – can and must be integrated with security practices and elements.
DevOps aims to allow small and close releases over time. It is not optimized to have a development cycle that involves a team that writes the code and another team that reworks it in a secure mode: it doesn’t pursue the objectives of DevOps. For this reason, security skills should be shared with all the teammates, and software development should comply with appropriate security standards.
DevSecOps: what it is
As we have said, the central theme for secure development is that security becomes a shared topic within each cross-functional development team (Feature Team). Therefore, the most effective approach is composed of three elements which are perfectly integrated with each other: Development, Security and Operation. This proposition can be enclosed in a single term: DevSecOps.
In order to implement DevSecOps it is necessary to consider security principles since the earliest stages of design, inserting them into the normal DevOps flow. To avoid pipeline slowdowns, testing and security checks must be automated and integrated into continuous integration practices.
It is also necessary to implement a solid monitoring system: traceability and visibility are very important. In fact, the correct introduction of alarms in the code allows you to receive alerts before a problem occurs, allowing proactive action. Process design must include rules and standards in a coherent framework. In this way, if development always respects the established rules, the risks are reduced.
Towards DevSecOps: how to ensure security with microservices, APIs, and containers
Today, microservices, APIs, and containers are central approaches in software development, and offer security guarantees that should be taken into consideration.
Developing with microservices requires a detailed separation of the responsibilities of each service: security risks are thus reduced to a minimum, for example by following the PoLP (Principle of Least Privilege) which provides for assigning the minimum privileges necessary for the execution of the individual service. You can manage users permissions according to the PoLP by leveraging a RBAC solution.
Access data is now simplified and secured by the adoption of a corporate API system. Following the principles of API security makes it more difficult to attack data, without imposing limits on the management of APIs, closed or open to the public.
Containerization also increases application security: executions are isolated, both from each other and from the systems they run on. An attack on modern systems is much more complex to carry out than on traditional systems.
A great tool to enhance security is Rönd, the new open-source project developed and maintained by Mia‑Platform. Rönd is an authorization mechanism that defines centralized policies executed in a distributed system. It runs in your Kubernetes cluster as a Sidecar Container and defines security policies over your APIs. Take a look at Rönd official website to learn more about it.
DevOps as the synthesis of DevSecOps
We can summarize the main and greatest advantages of a unified DevSecOps approach in terms of security, speed, and cost.
So, Feature teams can develop microservices and APIs directly in secure mode, running on containers. By integrating security elements into the test and monitoring phases, the high speed of the DevOps approach is maintained. Respecting time minimizes rewrites and reduces final costs.
In conclusion, it is now clear that the DevOps mindset is not just about processes, methods, tools, and automation. Security is an essential and founding part of the development and delivering of applications: for this reason, the term DevOps can be considered the synthesis of the more complete DevSecOps.