Understanding the DevOps Approach to Code Security
DevOps generally means integrating software development (dev) and information technology operations (ops) to speed the lifecycle, deliver better features, updates and fixes, and more. What’s sometimes missing from this perspective? Security. Here’s a description of how to bring security fully into this picture, and integrate it all the way from design, through development and test, and into production.
By Wikipedia’s definition:
DevOps is a set of software development practices that combines software development (Dev) and information technology operations (Ops) to shorten the systems development life cycle while delivering features, fixes, and updates frequently in close alignment with business objectives.
Most experts agree that DevOps actually combines three key ingredients:
- People, meaning developers and their hangers-on (testing, QA, and so forth), IT professionals, and other “interested parties” – usually stakeholders in what’s being developed and maintained.
- Process, meaning a deliberate and calculated focus on the software development lifecycle as a formal process, that uses methods like Scrum to codify and stimulate team communications among all the people involved (not just developers, but everybody) with CI/CD (Continuous Integration and Continuous Deployment) to continuously integrate code changes and deploy applications to production as needed, scheduled, or available.
- Tools, meaning software tools used to help the people fully implement the process. Tools to enable IT automation are essential to making DevOps work properly
According to The DevOps Handbook, the real essence of DevOps depends on “applying the most trusted principles from the domain of physical manufacturing and leadership to the IT value stream.” It goes on to mention a slew of bodies of knowledge that include Lean, Theory of Constraints, resilience engineering, learning organizations (continuous learning and continuous improvement)Kiu, safety culture, human factors, and more. On the leadership side, it cites to high-trust management cultures, servant leadership, and organizational change management. DevOps isn’t just a combination of Dev and Ops, it’s actually an entire frame of reference for doing development and IT correctly, responsibly, and repeatedly.
Where Does Code Security Come Into DevOps?
The short, flippant answer to this question is correct, but overly brief – namely “Everywhere.” That is, security has to be part of the process used for DevOps, it has to be built into the tools used to do DevOps (or make it happen), and, above all, it needs to be high up in the minds of the people involved in DevOps.
Kiuwan offers a way to bring security in throughout the entire DevOps lifecycle. It offers the ability to scan code for vulnerabilities and even to automate relevant remediation (where available). But because the Kiuwan tools integrate with various well-known development environments, this makes scanning code for security vulnerabilities, adoption of security coding standards, and automatic error prevent part and parcel of the development, test, and update/maintenance processes across the entire lifecycle.
Kiuwan’s IDE integrations encompass the following families and items:
- Eclipse-based IDEs: Luna, RAD, IBM Rational Developer)
- Microsoft Visual Studio and Visual Studio Code
- JetBrains-based IDEs: Intellij IDEA, PhpStorm, PyCharm, Android Studio, and CLion
Thus, organizations gain lots of traction to build security (and code scanning) into all phases of their development, maintenance, and deployment efforts. This is why some refer to the most productive mindset in this arena not simply as DevOps but rather as DevSecOps to put security on par with the equally important frameworks that help to formalize and codify the development and operations pieces of this overall puzzle.