Let’s take a look at the definition of the DevSecOps again, it is a culture shift in the software industry that aims to bake security into the rapid-release cycles that are typical of modern application development and deployment, also known as the DevOps movement.
Let’s focus on this part of the definition, “bake security into the Rapid-release cycles”, how can we make sure that security requirements and controls will work with the new automated process. By the end of the day, security team doesn’t want to be the blame that they are the main reason for delaying the releases.
With DevSecOps automation, everything must move quickly. The old security processes may not work with rapid release cycles as well as the old security tool. So, Security professionals in any enterprise must assess the current processes and current tools to ensure smooth transition to DevSecOps. If the old tools won’t work for automation, don’t try to make them. I have tested many tools in the industry, open source and commercials ones, let be perfectly clear, there is no magical tool that can provide you with everything you wish for. We will have in depth discussion about the tools later on.
Moving forward, looking at the picture below, it dosen’t mean that Security is only in the middle between Development and Operation, Security is everywhere. Security must be integrated with every stage of the software development life cycle (SDLC). It is crucial and very critical that the process must account for security every step of the way.
This image illustrates to some extent the security lifecycle of DevSecOps. The left side of the image represents the development, you can see threat model, testing, static anaylsis, etc…the right side represents operations, logs, audit, response and recover. It is a complete lifecycle bounded by security requirements throughout the cycle process.
Based on my experience, many project managers failed to account for security activities when initiating the project plan. Some skip to include any dollar amount for security as part of the proposed budget. They look at security as an afterthought activity, this is one of the most critical mistake that may cause delay of the project, deadlines and milestones are missed because of it.