Overview

DevSecOps is a principle of Application Lifecycle Management (ALM) that strives to incorporate security into every aspect of the lifecycle. It is built on top of DevOps (hence the name) and encourages every party to consider security issues in every phase of the application's design, build, test, and release.

The DevSecOps Manifesto

A few years ago, a group of software security professionals collaborated to produce the DevSecOps Manifesto. They were inspired by the wide adoption of the Agile Manifesto, which concisely laid out priorities for Agile software development. Like the Agile Manifesto, the DevSecOps Manifesto declared high-priority factors without dismissing lower-priority factors.

The nine prin of the DevSecOps Manifesto are:

• Leaning in over Always Saying "No"
• Data & Security Science over Fear, Uncertainty and Doubt
• Open Contribution & Collaboration over Security-Only Requirements
• Consumable Security Services with APIs over Mandated Security Controls & Paperwork
• Business Driven Security Scores over Rubber Stamp Security
• Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
• 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
• Shared Threat Intelligence over Keeping Info to Ourselves
• Compliance Operations over Clipboards & Checklist

Principles

Leaning in over Always Saying "No"

At one time, I thought of security teams as adversaries. I would ask for things, and they would deny them. It seemed like their knee-jerk reaction was to refuse my request and cite security issues. This principle does not ask them to stop enforcing good security practices. Instead, it suggests they keep an open mind and try to think of ways to meet a request without adding additional security risks.

Data & Security Science over Fear, Uncertainty and Doubt

This should be true of every business or technical, but it often is not. Base your decisions on hard evidence rather than on emotion or gut feeling. The findings will be more defensible and will probably be more valid.

Open Contribution & Collaboration over Security-Only Requirements

This is the heart of DevSecOps. Security is everyone's responsibility and should involve collaboration among teams. In too many organizations, all security decisions are handled by a single group and are often not considered until other work is complete.

Consumable Security Services with APIs over Mandated Security Controls & Paperwork

Automating security via API calls can be easier to implement and, therefore, more likely to be built into an application. Manual security processes are valuable but can be time-consuming and error-prone.

Business Driven Security Scores over Rubber Stamp Security

What are the reasons for your security policies? Is it simply because you have always done it this way, or is there a valid business reason driving your policies? Think about this before implementing and enforcing rules.

Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities

Security attacks occur in the real world, so it makes sense to simulate the real world when preparing for them. A Red and Blue team does so, with the Red Team taking on the role of a hostile hacker and the Blue Team acting as the system's defenders. This brings human decision-making into the mix. Automated scans are helpful, but they are not sufficient.

24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident

A proactive approach is almost always better than a reactive one, which often occurs after a security breach has already compromised your system.

Shared Threat Intelligence over Keeping Info to Ourselves

Many organizations jealously guard any information they discover because they believe it gives them a competitive advantage. But all organizations share a common enemy in malicious hackers. It makes sense to share this information to protect everyone.

Compliance Operations over Clipboards & Checklist

This principle emphasizes that security is a mindset within the organization rather than a set of procedures to which one can adhere and feel safe.

Focus of DevSecOps

At its heart, DevSecOps seeks to incorporate security into every aspect of life cycle management.

Fig. 1 shows the tasks that can be added to each phase.

Fig. 1 (Source: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls)

A corollary of this is that every person is responsible for thinking about security. DevSecOps sits on top of DevOps, so a company must have a solid implementation to implement DevSecOps effectively. But the tools you choose are less important than how your organization and employees embrace security awareness. The goal is to shift left the identification and resolution of security issues. This means we try to identify and resolve these issues as soon as possible because it is much cheaper and more effective than waiting until later.

Conclusion

DevSecOps is an evolutionary concept - not a revolutionary one. It builds on top of DevOps. It involves all people and all steps in identifying and resolving security issues.