A few words about DevSecOps

We have been often asked what is DevSecOps and does it affect the development process. Let’s talk a little about it.

- What is DevSecOps as a framework? What technical tools and processes does it include?

DevSecOps is a process in which verification and security tasks are integrated into a well-organized DevOps approach.

Speaking of the tools that compound the DevSecOps approach, these are primarily SAST, DAST, SCA and pentest.

The task of implementing DevSecOps is to integrate various tools and new processes related to security checks into the existing processes as seamlessly for DevOps as possible. Each organization has its own processes, since everyone has different tools and processes inside DevOps itself. The general processes are the creation of a code review procedure, the description and documentation of processes (to make them understandable and traceable for all participants), and the designation of employees responsible for each part of the process.

- How much does DevSecOps change the established development pipeline in terms of processes, if the company has not used any such tools before? Is there any migration/build-up period? Is it difficult for teams to switch to new processes? What can make this adjustment easier?

In an ideal world, the selected tools and practices should be integrated into the existing processes as seamlessly as possible, making no changes in the existing development pipeline, but only expanding it slightly by adding new metrics (vulnerabilities, undocumented features, etc.). Of course, there are situations when a process needs to be partially revised and adapted to the realities of the Secure.

There is a period of switching to DevSecOps, of course – that’s why it is called a process. It is a mistake to believe that the switch will be made in the snap of a finger. If both the team and the processes are mature enough, everyone understands the importance and necessity of the Secure, then the switch should not be difficult. The description of processes and their optimization, as well as the adoption of internal regulations, makes the adjustment easier, so you can clearly see all the stages and designated employees.

- What does the DevSecOps implementation roadmap look like? Where to start to get the first effect faster? How long does a full switch take?

The DevSecOps implementation roadmap consists of the following stages: description of processes, determination of a stack for check tools, selection of a test zone (usually one or more projects are selected, where the process is tested out), preparation of regulations, designation of employees responsible, and application to other projects with maximum automation.

To get the first effect faster, it is better to start with the processes – to understand whether the DevOps process is fully organized and described, select tools and start testing them on a specific project. After that, optimizing and automating processes should take place.

It is impossible to say exactly how long a full switch takes. The term depends on the team, existing built-up processes, technology stack, development languages, and checkers. There were projects when DevSecOps was implemented in a matter of weeks; in other projects the process may be built and perfected over a year.