DevSecOps generation:
With the implementation of DevOps, the speed of software delivery continues to improve, and security problems are becoming increasingly prominent. In the traditional software development process, security is often the last step. Before the enterprise software system goes online, security personnel will be notified to conduct security tests on the system. Even without any security testing, accidents occur frequently. The following are common pain points for enterprise security:
1. Post problem: security vulnerabilities are often found after the system goes online, and losses have occurred.
2. Vulnerability recurrence: the same vulnerability will occur many times in different teams, unable to analyze the scope of vulnerability impact, lack of unified supervision and vulnerability data accumulation.
“DevSecOps” extends and evolves from the concept of DevOps. Its core concept is that security is the responsibility of everyone in the entire IT team (including development, operation and maintenance, and security teams), and it needs to run through every link of the entire business life cycle from development to operation. DevSecOps came into being to change and optimize the status quo of previous security work, such as the isolation, hysteresis, randomness, coverage, change consistency, etc. of security testing; By solidifying the process, strengthening the cooperation between different personnel, and integrating automated and repetitive security work into the R&D system through tools and technical means, the security attributes are embedded into the entire assembly line.
DevSecOps is a new security concept. Its role and significance are based on the concept of “everyone is responsible for security”. Through strengthening internal security testing, DevSecOps actively searches for security vulnerabilities, timely fixes vulnerabilities, controls risks, and achieves good integration with business processes. In the past, security was implemented by a specific team at the final stage of development. When the development cycle lasts for months or even years, there is no problem with the above practices; However, this approach is no longer feasible. Effective DevOps can smoothly promote rapid and frequent development cycles (sometimes only a few weeks or days in the whole process), but outdated security measures will have a negative impact on this, even for the most efficient DevOps plan.
Now, security protection is a common responsibility in the DevOps collaboration framework, and the corresponding security functions need to be integrated throughout the cycle. This is a very important concept. It also makes the term “DevSecOps” come into being to emphasize the need to lay a solid security foundation for the DevOps program. DevSecOps means that the security of applications and infrastructure should be considered from the beginning; At the same time, some security gateways should be automated to prevent DevOps workflow from slowing down. Choosing the right tools to continuously ensure security helps achieve security goals. However, effective DevOps security requires more than just new tools. It is based on the cultural change of DevOps, so as to integrate the work of the security team as soon as possible.
Whether you call it “DevOps” or “DevSecOps”, it is best to always ensure security throughout the life cycle of the application. DevSecOps is about built-in security, not application and data level security. If the security problem is left to the last step of the development process for consideration, organizations adopting DevOps will find that their development cycle has become longer, which is a situation they want to avoid from the beginning. To some extent, DevSecOps emphasizes that the security team should be invited to ensure the security of information and develop an automatic security protection plan when the DevOps plan is just launched. It also emphasizes that developers should be helped to ensure security from the code level; In this process, the security team needs to share visibility information, provide feedback and conduct intelligent analysis against known threats.