{"id":21913,"date":"2019-12-12T14:28:37","date_gmt":"2019-12-12T14:28:37","guid":{"rendered":"https:\/\/www.devopsonline.co.uk\/?p=21913"},"modified":"2019-12-12T14:28:37","modified_gmt":"2019-12-12T14:28:37","slug":"the-fading-distinction-between-devops-and-devsecops","status":"publish","type":"post","link":"https:\/\/devopsnews.online\/the-fading-distinction-between-devops-and-devsecops\/","title":{"rendered":"The fading distinction between DevOps and DevSecOps"},"content":{"rendered":"
Beyond the financial risk of high regulatory non-compliance fines as a result of falling victim to a data breach, every company has a duty to protect the sensitive data of their customers and employees. If they fail to do so, they not only violate the law but, crucially, they put their reputation at stake by compromising trust.<\/p>\n
The most effective way to detect security vulnerabilities is to test software for potential weaknesses and remedy them before a product goes to market. However, up until recently, security testing has been deprioritised by software delivery teams. This can be attributed to factors such as time pressure and a central focus on delivering innovative and user-friendly products to stay ahead of the competition.<\/p>\n
Yet times are changing. Over the last few years within the DevOps community<\/a>, there has been a gradual shift in mindset around security. Since its inception, a core element of DevOps has been to deliver value to the customer rapidly. But when met with tight deadlines, potential security weaknesses can be introduced or overlooked. This is why DevOps teams have started to take more accountability for establishing security testing within the continuous testing process.<\/p>\n The concept of fostering a sense of shared responsibility around security, and essentially embedding it within the process of software delivery, is commonly known as \u2018DevSecOps\u2019. Ultimately, everyone on a DevOps team, from the developers to the testers and the operations staff, is obligated to pay attention to ensuring their software is secure. This applies to every stage of the process \u2013 including design, development and production.<\/p>\n Firstly, DevOps teams are required to think about potential security vulnerabilities that could be introduced or exposed in the initial software design. By including security criteria for each user story, the team can then test the designs as part of their automated continuous testing cycles.<\/p>\n Importantly, as the software along with its components and configuration move along the implementation pipeline, these security tests are always running. This means that if weaknesses are spotted at any stage, the team will be notified. With this alert, they can find a solution to issues as and when they arise.<\/p>\n What\u2019s more, when the software is deployed, additional security tests are run to ensure that when it\u2019s in production, the software is scanned for vulnerabilities stemming from configuration changes, software updates, and environment changes.<\/p>\n \u00a0<\/strong>In practical terms, here are three key steps that teams can take to integrate security into DevOps.<\/p>\nSecurity testing in DevOps<\/h4>\n
Embedding security<\/h4>\n