Critical Capabilities that DevSecOps Technologies Should Demonstrate

As we outlined in a previous blog post, security technologies, in order to fit DevOps and other agile development processes, should be at the fingertips of Dev and Ops professionals. Yet, neither group is necessarily proficient in security, security is not their priority, and security tools are often unintuitive to people outside the security industry. Cloud-based application security services (such as SAST and DAST as a service) solved part of the problem by taking over application security testing on behalf of the enterprises. Yet, emerging DevOps introduced new challenges.

Securing DevOps requires we adhere to two sets of requirements:

• Ability to test applications in increments – to fit DevOps cycles, where development, integration and deployment of an application proceeds in increments.
• Enable continuous testing of those increments throughout the entire continuous integration/continuous deployment (CI/CD) cycle.
• Minimal latency between submission of test requests and receiving results – because incremental, continuous delivery requires minimal turnaround time. 
• Increased accuracy of vulnerability detection – to assure teams that they can securely move forward with each DevOps increment.
• Ability to protect applications – which has not been Dev’s problem in the pre-DevOps era, and which existing perimeter-based technologies (e.g., firewalls of all kinds) could not provide.

Moreover, in order to be adopted by Dev and Ops teams, application security technologies should be as transparent as possible to the development process. These technologies:

• Should not require significant learning by DevOps teams. DevOps should be able to stick to application development and operations, and should not have to bother learning security details.
• Should be practically invisible, transparent to Dev and Ops. They should not catch DevOps’ eyes, they should not distract Dev and Ops from doing their job of creating and deploying software that adds value to the business.
• Should not require Dev and Ops to have to manage these technologies. Their installation, invocation and operation should not stretch beyond a few pushes of a few buttons.

Cloud-based services are ideal for (and much better than tools at) meeting these requirements. Yet, in the past, typical tools and, to a substantial degree, traditional implementation of cloud-based services have had limited capabilities to meet the first set of new requirements:

• They were a poor fit for testing small increments of applications. They were designed to test more or less fully assembled applications. They could not be seamlessly invoked by developers to test just one class of code, or just one small part of an application.
• They did not fit well into the shortened phases of the software lifecycle. It typically takes them way too long to run in relation to the fast cycles of DevOps and agile development.
• Moreover, these technologies, e.g., SAST and DAST, are applicable only at the Dev part of DevOps, while DevOps also requires technologies for securing Ops.

In the next blog post, we will point to technologies that have been either designed from scratch or transformed from their existing state to enable DevSecOps.