What is DevSecOps?

DevOps is a trend in computing that doesn’t seem to be going away, because it works. But that doesn’t mean there isn’t room for improvement. Let’s talk about what DevSecOps brings to DevOps, why security vendors are trying to get into this game, and how Nucleus can help you build or improve a DevSecOps culture.

To understand DevSecOps, you first have to understand DevOps. Admittedly, you can ask 10 people about DevOps and get 10 very different answers. The simple answer is that it’s a collaborative approach by engineers, for engineers, that allows them to work faster, more effectively, and with more flexibility.

There are eight phases to the software development lifecycle: plan, develop, build, test, release, deliver, deploy, operate, and monitor. The approach is iterative by design, recognizing that software is never done. The Agile Delivery Methodology replaces the “big bang” style delivery of the old Waterfall software development process with small, frequent deliveries that make it easier to change course as necessary.

Each small delivery is accomplished through a fully automated process or semi-automated processes with minimal human intervention to accelerate continuous integration and continuous delivery. This lifecycle is adaptable and includes numerous feedback loops that drive continuous process improvements. DevOps makes this lifecycle that much faster and more cohesive by sitting software engineers and operations engineers side-by-side, encouraging them to collaborate during each step of the process.

Having started my IT career in the 90s, I can attest that this approach is superior to what we had in the bad old days. Today we get better products faster, with more reliability and more innovation. And those continuous releases scratch our instant gratification itch much better than those big releases that only appeared every few years.

So why mess with a good thing?

Shifting Left

I first heard about DevOps at a security conference — and in those optimistic, early days, security was built in and implied. In practice, implied security often left security on the outside looking in. So we started saying the quiet part out loud so security wouldn’t be left out.

The easiest question on my last certification test was probably the most important. It asked,  “When security is cheapest and most effective?” The right answer was, “when security gets involved as early in the process as possible”, a concept that now has its own buzzword, “shifting left”. Shifting left is another synonym for DevSecOps.

Ultimately the goal of DevSecOps is to make sure those rapidly deployed systems and software are secure, not a huge fleet of pwnme boxes. While DevOps is largely about making things happen faster, getting pwned isn’t something you want to happen faster.

When application security teams are involved, they can ensure internally developed software is built in as secure a fashion as possible, and that any security flaws that do occur get fixed as quickly as possible.

And if DevOps makes IT practices happen more quickly, why can’t it also make patching happen more quickly? It can, as long as those patching updates are factored into the release cycles. Patches need to be part of the process, not an afterthought.

Security at DevOps speed sounds like a tantalizing idea. Is there any way to make it a reality? After all, sysadmins and developers have a notoriously hard time getting along, but if there’s anyone they both dislike even more, it’s security.

DevOps pioneer Gene Kim wrote a best-selling book called The Phoenix Project that tells the story of a company using DevOps to fix its broken IT and stay in business. The villain of the book in the beginning was the CISO. Who else?

How Nucleus Can Help DevSecOps

One problem with trying to shoehorn security into DevOps is the tool set. DevOps tools and many popular security tools weren’t designed with each other in mind. Network vulnerability scanners don’t integrate with Jira. Network vulnerability scanners don’t integrate with application security products either. Even if you buy network and application security tools from the same vendor, they don’t give you a unified view. And in my experience, getting the whole team to agree on a single vendor is very difficult. Buying multiple tools from multiple vendors so you can mix and match capabilities is very common, especially in the AppSec space. While there are vendors who want to sell the whole tool set, no one has figured out how to be everything to everyone.

Being everything to everyone may not be possible in this model. Note Microsoft’s shift in attitude toward Linux during this era.

Nucleus doesn’t try to be everything to everyone. We glue your other tools together. Sometimes we’re even able to pull some of your legacy tools and data into the modern DevSecOps era. And if you decide to upgrade your existing tools or compliment them with some new tools, will integrate with the new tools too.

Nucleus can ingest the data from your existing tools, new and old, and bring it together in one place. But more importantly, it can also integrate with ticketing systems. And not just the ticketing system your infrastructure team uses. It integrates with Jira, too. So when you find issues, Nucleus creates tickets in the appropriate ticketing system. Unlike some other solutions, the integration with Nucleus is bidirectional, pulling in updates from the ticketing system, not just creating tickets and throwing them over the cubicle wall. And if you want, it can create alerts in messaging systems too.

Nucleus solves everyone’s least favorite thing about vulnerability management tools, and lets you assign ownership of classes of vulnerabilities to different teams to improve efficiency for all. In Nucleus, teams only see vulnerabilities from their area of responsibility, rather than seeing a CSV full of scan results. A DBA will only see database vulnerabilities, not operating system vulnerabilities. This allows those teams to collaborate with security without distraction for faster remediation.

Also, unlike many other vulnerability management tools, developers get the same capability everyone else gets. Nucleus can track and route the developers’ vulnerabilities just as easily as any other. Developers can see what they need to fix much earlier, and without us wasting their time. Having comparable capabilities across your organization is a key sign of VM program maturity.

More importantly, it stays out of the way, and keeps ticketing systems from getting in the way. Closing tickets can take longer than pushing patches does. If there was one thing I didn’t want back when I was a sysadmin, it was tickets for vulnerabilities. On average it takes me longer to close a ticket than it does to patch a vulnerability. Why? I can deploy patches in bulk; closing tickets is a manual process on each ticket that involves multiple mouse clicks. I didn’t want to waste time fighting ticketing systems when I could be doing real work.

But managers love tickets as something to measure and track. Nucleus helps because it doesn’t just flood your remediation teams with tickets. When new scan results come in, and the vulnerabilities aren’t there anymore, Nucleus closes the tickets. It automates the tickets from beginning to end.

Nucleus can do a lot of different things, and it seems like every one of our customers had a different reason for buying the platform. One of the things Nucleus does really well is gathering data, correlating it, and helping developers, system administrators, and security analysts collaborate using their preferred tools. It allows three very different teams to continue using their preferred tools to initiate and respond to communications in the way they prefer.

DevSecOps Culture

The cultural transformation can be significant, because teams end up with a sense of stakeholder ownership rather than feeling like other teams are pushing work off onto them and increasing their workload, or feeling like they constantly have to accommodate the security team. Freed from the burden of having to filter and research, they can spend their time fixing because they can work from targeted, actionable data. That fosters collaboration and improves productivity.

Which is kind of what DevSecOps is all about.

"We Spoke and Nucleus Listened"

Read one AppSec Managers journey to discover Nucleus and how it transformed the DevSecOps culture.