What is DevSecOps

In late 2016, when I was stuck at building a CI/CD pipeline with security controls towards a PaaS solution to one of the largest UK bank, I used to think that there should be a philosophical approach (in every organization) to make everyone feel responsibility of security in what they are building and innovating. In late 2017, while I was engaged with a large insurance client, I was requested to identify and build security capabilities as an interim solution to an App/Infra CI/CD Pipeline, again i got stuck with lack of blue prints and playbooks for each service in pipeline to integrate security. For example a Jenkins playbook which contains a detailed operating reference with security in place (For CI solution).

I seriously though its a philosophical/cultural shift to an organization to enhance their DevOps practice with security. And in early 2018, I learned the term – DevSecOps, which fulfilled my English to my previous experiences and thoughts. Yes the name defines it. Practice your DevOps culture with an attitude of Security as Service (SecaaS) and Security as a Code (SecaaC). Both SecaaS/SecaaC defines your organizations operational and engineering efficiencies. Thats ‘DevSecOps’

DevOps is not only about developing and operating business and teams. As I always say adopt DevOps culture and agile mindset, but if you want to see a better outcome of those two attitudes, then security must also play an integrated role in the full life cycle of your infrastructure and applications. Traditionally Developers, Operations team and Security team are different. Now its like a one man army – The “DevSecOps Engineer”

As everyone know that DevOps/Agile will get your code developed and released faster and frequent, but with lack of security standards (Or legacy standards) can ruin the business goals and fails the DevOps approach.

I suggest the developers, ops guys and sec engineers to maintain short and frequent development cycles, and integrate security measures (try to reduce/minimize Operational disturbances by doing so),
speed up innovative technologies like containers and microservices, and all the program manage/scale the DevSecOps approach between commonly isolated teams—this is a tall order for any organization.

Next time, I will comeback here to post more glimpses of pipeline (Infra/App) components with security integrated and will publish some playbooks too.