DevSecOps

What is DevSecOps?

Security has traditionally come at the end of the development lifecycle, adding cost and time when code is inevitably sent back to the developer for fixes. It is time to shift left by embracing security earlier within the DevOps lifecycle.

DevSecOps tools automate security workflows to create an adaptable process for your development and security teams, improving collaboration and breaking down silos. By embedding security into the SDLC, you can consistently secure fast- moving and iterative processes - improving efficiency without sacrificing quality.

DevSecOps weaves security practices into every stage of software development right through deployment with the use of tools and methods to protect and monitor live applications. New attack surfaces such as containers and orchestrators must be monitored and protected alongside the application itself.

What is application security?

Application security has been defined by TechTarget as the use of software, hardware, and procedural methods to protect applications from external threats. Modern approaches include shifting left to find and fix vulnerabilities earlier, while also shifting right to protect your applications and their infrastructure-as-code in production. Securing the Software Development Life Cycle (SDLC) itself is often a requirement as well.

This approach of building security into your development and operational processes effectively turns your DevOps methodology into a DevSecOps methodology. An end-to-end DevOps platform can best enable this approach.

DevSecOps fundamentals

If you’ve read the book that was the genesis for the DevOps movement, The Phoenix Project, you understand the importance of automation, consistency, metrics, and collaboration. For DevSecOps, you are essentially applying these techniques to outfit the software factory while embedding security capabilities along the way rather than in a separate, siloed process. Dev or security can find vulnerabilities, but a developer is usually required to remove such flaws. It makes sense to empower them to find and fix vulnerabilities while they are still working on the code. Scanning alone isn’t enough. It’s about getting the results to the right people, at the right time, with the right context for quick action.

Fundamental requirements include automation and collaboration, along with policy guardrails and visibility.

Automation

In our 2020 DevSecOps Survey. we found a majority of developers aren’t running SAST, DAST or other security scans regularly, and automation also lags. A majority of security pros reported their DevOps teams are “shifting left,” but test automation continues to be a huge challenge.

Collaboration

A single source of truth that reports vulnerabilities and remediation provides much-needed transparency to both development and security team. It can streamline cycles, eliminate friction, and remove unnecessary translation across tools.

Policy guardrails

Every enterprise has a different appetite for risk. Your security policies will reflect what is right for you while the regulatory requirements to which you must adhere will also influence the policies you must apply. Hand-in-hand with automation, guardrails can ensure consistent application of your security and compliance policies.

Visibility

An end-to-end DevSecOps platform can give auditors a clear view into who changed what, where, when, and why from beginning to end of the software lifecyle. Leveraging a single-source-of-truth can also ensure earlier visibility into application risks.

Getting started

Ready to see how GitLab can help you get started with DevSecOps?

Our DevSecOps Solution. page has all of the details, along with a Free Trial offer for our Ultimate tier of capabilities.

Assess your DevSecOps maturity

We have developed a simple assessment that uses twenty questions to help you determine where you excel and areas for improvement. A helpful guide suggests steps to get you started.

Assess yourself →.