Full Text

Posted under: Heavy Research

DevOps is an operational framework that promotes software consistency and standardization through automation. It helps address many of the nightmare development issues around integration, testing, patching and deployment by both breaking down the barriers between different development teams, but also by prioritizing things that make software development faster and easier.

DevSecOps is the integration of security teams and security tools directly into the software development lifecycle, leveraging the automation and efficiencies of DevOps to ensure application security testing occurs with every build cycle. This promotes security, consistency and ensure security is no less important that other quality metrics or feature. Automated security testing, just like automated application build and deployments, must be assembled with the rest of the infrastructure.

And therein lies the problem. Software developers have traditionally not embraced security. It’s not because they did not care about security, rather they were incentivized to to focus on delivery of new features and functions. DevOps is changing the priority on automating build processes to make them faster, easier and more consistent. But it does not mean they are going out of their way to include security or security tooling. That’s often because the security tools don’t easily integrate well with development tools and processes, and usually flood queues with unintelligible findings, and lack development centric filters to help prioritize work. Worse, the security platforms – and the security professionals who recommended them – were difficult to work with or even fail to offer API layer support to provide integration.

On the other side of equation are security teams, who are fearful of automated software processes, and commonly ask the question “How do we get control over development”. The very nature of this question misses both the spirit of DevSecOps, as well as the efforts of development organizations to get faster, more efficient and more consistency with each software release. The only way for security teams to cope with the changes occurring within software development, and to scale their relatively small organizations, is to become just as agile as Dev teams and embrace automation.

Why This Research Paper?

We typically discuss the motivation for our research papers to help readers understand our goals and what we wish to convey. This is doubly...