From DevOps to DevSecOps

One of the main challenges for software development is reducing time to market. Rapidly changing business conditions have led to an evolution of software development processes from the Waterfall model into Agile and from Agile into DevOps.

Another big challenge is application security. Development has evolved from Waterfall to DevOps in 30 years, but Security has remained at almost the same old level. And as a result, Security now needs to make a momentary leap to become an equal part of DevSecOps. The transition from DevOps to DevSecOps requires embedding application security testing (AST) into the DevOps software development cycle:

What Often Happens in Practice

Currently, application security processes are often not properly integrated into DevOps. This situation creates a bottleneck in software development and, therefore, in the entire business of continuous digital product delivery.

Many companies start by adopting AST tools and practices into their existing DevOps process without a clear, well-thought-out strategy. As a result, after the first part of the journey, they get into a mess and have problems with AST.

Several questions arise: 

  • At what stage and how to properly use the results provided by AST tools and fix the huge lists of vulnerabilities they found? 
  • How can you prioritize all the reported vulnerabilities? 
  • What analytics can help understand the results? 
  • How do you measure your progress? 
  • When will there be a version of the application that can go into production? 
  • How to effectively organize the collaboration of the development, operations, and security teams?

How to properly approach the integration of AST tools in DevOps, avoid problems and find a clear answer to emerging questions?

Implementation Steps

When shifting from DevOps to DevSecOps, you don't need to invent anything new. The proper transition strategy and its implementation have already been thought of and tested in practice. Such a strategy uses one of the products known as Application Security Orchestration and Correlation (ASOC) tools, such as Maverix.

Take a look at the ASOC tools segment and their capabilities (more detailsmore detailsGartner, “Hype Cycle for Application Security”, 2020). After conducting research, it is necessary to choose a suitable ASOC tool for implementation in the company. If your company already uses some AST tools, make sure that the ASOC tool you choose supports integration with them. Once you have selected the ASOC tool, you need to go through the well-known DevSecOps transition process outlined below.

  1. Install and run Maverix (or other ASOC tool).
  2. Integrate the ASOC platform with AST tools that may already be in use in your software delivery organization. If there are no such AST tools yet, you can connect some open source AST tools first or select at least one COTS AST tool and run it. This sequence of actions enables the software delivery organization to set up its DevSecOps process from the very beginning properly. This provides a solid foundation for a secure development process.
  3. Extend the applied approach to all newly connected AST tools. This allows you to take great advantage of the orchestration and correlation processes, as well as the metrics provided by the ASOC tool. The resulting clear organization of the DevSecOps process and the absence of problems will allow you to quickly assess the effectiveness of the approach used.

About Maverix

Maverix is the next generation ASOC platform and can certainly be used as a solution for shifting from DevOps to DevSecOps.

Maverix is an automation platform that provides a plug-and-play transition from DevOps to DevSecOps. It is focused on application security and manages the application security testing end-to-end. Maverix offers out-of-the-box integrations with software engineering and AST tools. It integrates security checks performed by the AST tools into CI/CD application development pipelines. Maverix serves as an application security automation hub that enables a seamless transition of application development projects from DevOps to DevSecOps based on existing project tools and DevOps practices.