General 3min de Leitura - 18 de September de 2020

DevSecOps: the perfect balance between agility and security

This post is also available in: Português English

Creating software and keeping it up to date is a constant and complex process, which requires intense integration between the Development (Dev) and Operation (Ops) teams. This method in which they both work together is called DevOps – a term that came up ten years ago with software engineers John Allspaw and Paul Hammond when presenting a lecture on their achievements on Flickr with the closest approximation between the development and operations team. However, with the growing demands for greater security in information systems, the term has been updated to DevSecOps, with the inclusion of a team specialized in security in the processes.

In this context, DevSecOps considers application and infrastructure security from the beginning of the development phase. This leads to the automation of security barriers that bring consistency to deliveries, without impairing the speed of work of DevOps. Therefore, you need to select the right tools to integrate security seamlessly and quickly. However, it must be kept in mind that the inclusion of security in DevOps requires the construction of cultural changes in companies, so that the result meets the expectations of the teams involved in the construction and continuity of products.

The evolution in the way of making software

In order to understand more clearly about the team connection, which is the basis of DevSecOps, it is necessary to tell a little about the evolution of the software production methodology. In decades past, the process that prevailed was known as cascade. In it, the steps followed the following sequence: system requirements, software requirements, analysis, code design, coding, tests and finally operation.

The model worked well, but it had negative points. One of them is the fact that there is no feedback between the stages and the teams in charge. Another flaw is that the tests were at the end of the cycle. Then, any necessary adjustments could impact the previous steps, a situation that tends to worsen deadlines and budgets. With the need for increasingly short delivery cycles, where the demand for quality always increased, the cascading methodology soon became outdated, incompatible with a world that depends more and more on technology – with increasing frequency.

For these reasons, the development of agile methodologies to conduct software projects has become essential. Such methodologies need practices and tools totally different from those that were in use until then, deeply reordering the development and operational roles – as well as their very essence.

An alternative called DevOps

In the older methodologies, the development team was on one side looking for autonomy and working with smaller release cycles every day; on the other side, there was the operations team, with a completely different pace, in the midst of processes that demand more control and stability. As two areas are so distinct, conflicts arose whose existence was harmful to products and companies as a whole.

Then, there were movements that encouraged the two areas to work together, collaboratively and with common goals. Thus, they would seek tools, processes and practices aimed at optimizing work, leading to more satisfactory results. They were the DevOps embryos.

With DevOps, the development team started to have a better idea about the processes, challenges and problems faced by the operations team. The opposite also occurs. The objectives, then, become the search for ways to simplify procedures, in order to make everything more agile. In this way, issues such as integration and continuous delivery, monitoring, logs and scalability are given greater emphasis and the most effective treatment possible.

Everything settled then? Not even. There was another area not yet involved, whose importance has grown exponentially in recent years, with its own values, practices and processes: the area of information security. Then we have the emergence of the DevSecOps concept.

Security as part of the development process

To integrate information security in this context, one must determine risk tolerance and conduct an analysis of risks and benefits. It is necessary to define, for example, the number of security controls for certain applications. In this context, automating repetitive tasks is critical at DevSecOps, as manual security checks can be time-consuming and undermine effectiveness.

The tip, then, is to keep development cycles short and frequent, as well as to integrate security measures with the least possible amount of interruption of operations. Another measure is to keep pace with innovative technologies and promote close collaboration between teams – especially those that work in isolation. Due to the complexity of the initiative, the adoption of DevSecOps can be followed by companies specialized in information security, such as OSTEC. Call us and understand which differentials we can bring to your business!

This post is also available in: Português English