How DevSecOps Can Change Your Business in 2021

With AWS re:Invent coming up later this month, many businesses will be attending sessions and asking the same question—“How can I make my team and business run more effectively coming into 2021?” 2020 has forced us to learn new skills and adapt to different operations a an alarming rate. Software development is no exception. DevSecOps provides a framework to enhance your production teams’ ability to create effective and secure software.

To learn more about the value of DevSecOps and how cloud and cybersecurity are key ingredients, please visit UNCOMN at engage.uncomn.com.

DevSecOps Culture

DevSecOps is an evolution of DevOps with the additional requirement that agile software development teams make security a priority during each step of the development lifecycle. Typically, security processes are implemented as a discrete step to inspect, scan, and review code at a particular checkpoint. In contrast, teams leveraging the DevSecOps model embrace security constantly and consistently as an integral component of the software development lifecycle. Teams that employ DevSecOps consider security as part of their ongoing deployment and delivery pipeline process.

One of the most challenging aspects of transitioning from DevOps to DevSecOps is creating more open and communicative teams. Development teams are often pressed to release capabilities rapidly. Software development culture can lead to siloed small teams responsible for different elements of a project. Teams have tight schedules and tend to divide and conquer, separating into focused teams, frequently rolling out new features. Collaboration during daily scrum meetings, standups, or Jira actions should include security considerations as teams mature. Many organizations have a culture that injects security assessments at later stages in the normal development process.

However, using DevSecOps, security becomes an integral part of the development process in the plan, code, build, and test steps. This is much better than waiting until the operations phase of release, deploy, operate, and monitor to focus on security.

DevSecOps provides a great benefit to development, security, and operations by promoting consistency and speed through automation.

So why should you care about DevSecOps?

• Enables businesses to rapidly deploy capabilities to better serve customers by rolling out new features at a fast pace.
• Ensures that applications are secure to protect data, critical applications, and a company’s reputation. Companies who are hacked due to un-secure development practices often never fully recover their reputation.
• Focuses developers on what they do best, build code and applications, instead of worrying about deployment details such as infrastructure because the proper configuration of the AWS ecosystem can automate these for development teams.

AWS DevSecOps and Integrated Capabilities

AWS offers several relevant capabilities that utilize our favorite tools to perform DevSecOps. There are several AWS offerings we have looked at including:

• AWS CodeBuild – Continuous Integration (CI) service that compiles source code, runs tests and produces software packages that are ready to deploy.
• AWS CodeCommit – Source control service that hosts Git repositories.
• AWS CodePipeline – Continuous Deployment (CD) service to automate release pipelines for fast and reliable application and infrastructure updates.
• AWS CodeDeploy – Service that automates software deployments to compute services, including EC2, Fargate, and Lambda.
  The key value add of using these services is that they are fully managed and designed to work within the overall AWS ecosystem. The overall benefit of using AWS services in your DevSecOps pipelines is how they are integrated with other vital services in AWS such as:
• CloudFormation (infrastructure-as-code) for spinning up compute resources. This allows developers to focus on building code while taking advantage of reusable infrastructure templates. The same code review and quality processes can be applied to changes to infrastructure as is done in the DevSecOps code process.
• CloudWatch is used for logging and monitoring key metrics related to your operational resources. Many useful metrics come out of the box and you can build custom metrics depending on exactly what you want to monitor.
• CloudTrail monitors activity within your AWS account, such as logging Application Protocol Interface (APIs) calls, captures a trail of events happening in your account that you can store and analyze using other AWS tools.
• Security services such as Identity and Access Management (IAM) security groups and configurations, Secrets Manager, Key Management Service, and Secure Token Service, and Certificate Manager as well as necessary exploit protection services such as AWS Shield, Web Application Firewall (WAF), and AWS Firewall.
• Microservices, containers, and web applications that use AWS services such as Elastic Container Service (ECS), Elastic Container Registry (ECR), Elastic Kubernetes Services (EKS), Fargate, and Elastic Beanstalk.
  This integration of DevSecOps and 3rd party tools with the AWS ecosystem allows DevSecOps teams to focus on building code and leveraging automation for deployment, testing, fielding, and spinning up of resources.
  Navigating through the complexity of when and how to use all of these services in combination with each other is vitally important. AWS is the gold standard for cloud service providers (CSPs). Since AWS offers such an impressive range of services, it can be challenging to navigate how to use them all in combination as efficiently and cost-effectively as possible. UNCOMN has experience helping clients navigate through this complex web to take advantage of all that AWS has to offer. It’s a worthwhile journey that we look forward to helping you take.

DevSecOps Process