DevSecOps: Bringing Security to the Software Development Multiverse

What is DevSecOps?

Development plus security plus operations. These three words encompass almost every facet of the infrastructure and application development worlds. Bring them together and you have DevSecOps, which is all about integrating security at every stage of the software development process. 

DevSecOps is an approach that combines application development, security, operations, and infrastructure as code (IaC) in an automated continuous integration/continuous delivery (CI/CD) pipeline. It includes tools and processes that encourage collaboration between developers, security specialists, and operations teams to more quickly build software that is both efficient and secure.

What is the goal of DevSecOps?

The primary objective of DevSecOps is to automate, monitor, and apply security to all phases of the software lifecycle. This encompasses everything you do to plan, develop, build, test, release, deliver, deploy, operate, and monitor.*

From the business point of view, the objective here is to deliver software in a secure manner ‘ and that means bringing security to the forefront of service delivery, including both application development and the infrastructure that supports the applications. Every company needs to move fast and provide greater value to their customers but they need to do so in as secure a manner as possible. Because no one wants to be the headline de jour announcing yet another data breach. 

‘Shift left’ and end the last-minute rush to integrated security

Traditionally, when it comes to software development and related infrastructure projects, security is often the last thing to be implemented.

The reality is things often happen this way: You have been focused on testing and evaluating the new software and the infrastructure that supports it. Suddenly you’re two weeks away from your go-live date. Now comes a mad scramble to get security in place.

Optimally, here’s what should happen: Security should be integrated from the get-go ‘ versus being left as the last step. That’s what we mean by ‘shifting left’ ‘ moving security to the beginning of the development process as you consider how to roll out new applications, services, and features to your customer. 

Here’s a quick illustrative scenario: Let’s say an application development team needs an environment to run testing and evaluations. In response, the infrastructure team goes away and gets a server. Some development and testing is done on this server, which may or may not have been hardened in terms of security. This is where that mad rush to completion begins, where that ‘we have to get this done and can figure out security later’ mentality sets in. The developers are in the last crunch, banging away writing code. Now you’re two-to-three weeks before going into production. The good news is that things look good, everything is working perfectly. So…

What happens next? This is when the security team is often called in and it becomes clear that the application or the infrastructure does not align with security standards. Moving to a hardened, secure server can be problematic, because the application and development teams (with full permissions and support to move ahead as quickly as possible) never tested it on the more secure infrastructure.

Suddenly the business is at a crossroads. Do you push back the launch to secure the app and infrastructure as it should be? Or band-aid it for now to get the software out the door and plan on making some fixes after the app is already being used? It’s too late at this point to wish you had shifted left and integrated security in from the very beginning. But it is a good time to segue in to how the Morpheus platform can support DevSecOps goals as you shift left.

The Morpheus point of view on DevSecOps

Our point of view is a bit different than what you’ll find in many DevSecOps discussions. For us, it’s not all about adding security tools into the CI/CD pipeline to specifically perform security during the testing and evaluation steps of the app development process.

Instead, we at Morpheus recognize that at the end of the day, the business always wants that new app or that new feature faster and more securely. We can help make this happen by enabling application and development teams to consume infrastructure in a hardened, secure, and repeatable manner.

When your developers are working on a new app, instead of your security team waiting until the end to harden the infrastructure, having Morpheus in the mix enables the security team to be in lock step as the application is being developed. And this exposes the hardened infrastructure to the application development teams via our self-service catalog.

Deeper dive on specific Morpheus capabilities supporting DevSecOps

As discussed, DevSecOps automates and integrates security from a CI/CD perspective. That is, developers writing code have one primary concern related to security: Is the code secure? Various tools are available to support that part of the process. But at some point in time, the app is going to have to make it to a server or some machine ‘ and that machine needs to be hardened and secure. Here’s where Morpheus goes to work.

Morpheus helps secure and harden the infrastructure while offering you the mechanisms needed to automate the process from end to end in these specific ways:

Self-service catalog for hardened reference architectures

Our service catalog is a major feature of the Morpheus platform. It’s what allows infrastructure and security teams to be able to curate the ‘blessed’ security and infrastructure architectures. When the developer or app teams says they need an environment to begin development and testing of an application, Morpheus provides a platform in which infrastructure teams and security teams can curate those. This in turn, enables dev/app teams to access reference architectures in a simple, easy, on-demand fashion. This helps DevSecOps come together in a cohesive manner, reducing friction between development, security, and infrastructure teams, and generating productive synergy in its place. 

Mix and match on demand

Via the Morpheus service catalog, utilizing and leveraging hardened secure images becomes part of process. The security team builds these components in conjunction with the infrastructure teams, making it easy to mix and match different components and build secure architectures for the developers to consume in an on-demand fashion.

Security tool integration 

As far as operations are concerned, a number of security tools need to be configured and deployed as part of the process to ensure end-to-end security of both applications and infrastructure. The more automated, the better. Morpheus is able to integrate with security tools via automation capabilities such as executing Shell or PowerShell scripts, Python scripts, or even Ansible playbooks to integrate and orchestrate different reference security components together as part of that end-to-end process.

Checks and balances

From a large enterprise perspective, having automation woven in to DevSecOps is a good thing. But what about running checks and balances for the processes? The Morpheus Approval Engine helps to address the ability to be able to ‘turn over the keys’ to the application and development teams with assurances that they’ve accessed things that are curated and secure. It also puts needed approval mechanisms in place in terms of change management, ensuring that oversight is in place around what can be done right away and what needs to be approved with the full level of compliance.

Development, security, operations ‘ all at play in the software development multiverse

They are…well…everything, everywhere, all at once within today’s growing businesses. Learn more about how Morpheus can help you master the DevSecOps multiverse by checking out our Morpheus demo.

*DevSecOps, TechTarget, https://www.techtarget.com/searchitoperations/definition/DevSecOps