Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

The Fundamentals of Developing Effective DevSecOps

DevSecOps: Building Security Into Design

Bolting Security on to DevOps Without Full Integration is Little More Than Keeping Security in its Own Separate Silo

DevSecOps: Building Security Into Design

Bolting Security on to DevOps Without Full Integration is Little More Than Keeping Security in its Own Separate Silo

The argument for including security within DevOps has largely been won. It is the basis of security by design, and the most effective way of minimizing dormant app vulnerabilities from the huge number of software developments generated in the modern containerized cloud world.

“The security risks inherent in today’s intricate interactions between multiple technology layers, coupled with the globally interconnected and always-on nature of today’s applications, have been compounded by vulnerabilities lying dormant in systems, software, and hardware,” says John Yeoh, VP of research for the Cloud Security Alliance (CSA). “The result is a field ripe for picking by malicious parties across the world.” 

The solution is to expand from DevOps to DevSecOps; but achieving a genuine DevSecOps environment is not easy. Speed in code generation (DevOps) is a different requirement to security in code generation, and one can hinder the other. Simply bolting security on to DevOps without full integration is little more than keeping security in its own separate silo.

To define and roadmap what is necessary to develop effective DevSecOps, the CSA is proposing ‘The Six Pillars of DevSecOps’ (PDF). The purpose is “to provide a holistic framework that blends the traditionally siloed operations: development, infrastructure operations, and information security, into a cohesive group that facilitates creation of secure software.”

CSA’s six pillars are: collective responsibility; collaboration and integration; pragmatic implementation; bridging compliance and development; automation; and measure, monitor, report and action.

Collective responsibility is about changing the corporate mindset. “Security must no longer be seen as someone else’s responsibility,” says the CSA. “Everyone is responsible for the security stance of the organization.” This involves making security part of the company’s fundamental business objectives. From this starting point, security becomes a natural part of DevOps and the transition to full DevSecOps a more natural process.

From collective responsibility, collaboration and integration becomes natural. “Security can only be achieved only through collaboration, not confrontation,” warns the CSA. Confrontation leads to human error which is the cause of most security incidents; collaboration minimizes it.

Pragmatic implementation involves choosing the right tools for the job. There are many tools and solutions for implementing application security within software lifecycles, but, says the CSA, “since every lifecycle is different in terms of structure, processes and overall maturity, there is no one-size-fits-all set of tools to implement DevSecOps.”

It recommends using a framework agnostic security and privacy model focused on application development. “This model,” it suggests, “will fulfill the unmet need of connecting all the stakeholders (development, operations, and security) in a manner such that security is built into applications and the software lifecycle that produces applications.”

Bridging compliance and development has become necessary because the rapid evolution of development processes and practices have meant that compliance and agile development are no longer aligned. Compliance is not an option; it is a requirement. The solution, says the CSA, “is to identify applicable controls, translating them to appropriate software measures and identifying inflection points within the software lifecycle where these controls can be automated and measured to improve the quality of risk mitigation and therefore compliance.”

Automation increases speed and eliminates human error — which are fundamental to the purpose of DevSecOps. “Manual deployment and patching practices can result in insecure software being released to production,” warns the CSA. In fact, the CSA believes so strongly in automated testing that it says, “Processes that can be automated should be automated, and those that can’t should be automated as much as possible or be considered for elimination.”

One of the by-products of automation is often the automated generation of results that can be combined into meaningful metrics. This is the CSA’s sixth pillar: measure, monitor, report and action. “Typical DevSecOps initiatives can take anywhere from months to years to implement depending on scope and complexity. Without actionable metrics, progress cannot be measured and failures cannot be detected in a timely manner.”

It suggests that the most important metrics to monitor in a DevSecOps environment are deployment frequency, vulnerability patch time, percentage code automatically tested, and automated tests per application. This applies both during development and after delivery, and the results must be “acted upon by the right people at the right time (continuously) for DevSecOps to succeed.”

Using these six pillars to both implement and operate DevSecOps will lead to an effective DevSecOps environment, says the CSA. It intends to expand on each pillar in the future.

Related: Security Shifts Left to be Part of Software Development Best Practice: Report 

Related: Shifting to DevSecOps Is as Much About Culture as Tech and Methodology 

Related: SecOps: The Roadkill Victim of DevOps’ Need for Speed 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...