Security is hard; traditional approaches are expensive, slow and painful. DevSecOps aims to alleviate that pain by introducing DevOps practices to security.

The software development industry has evolved, from traditional operational attempts to keep infrastructure as static as possible and opposing the development team’s constant need for change, to operators that embrace change. This fundamental change has been brought about due to the adoption of DevOps. DevOps aligns the goals of Product Management, Development, and Operations and leverages automation and infrastructure as code to execute these goals.

Why do we need DevSecOps?

Organizations practicing DevOps deliver code much more rapidly than traditional software organizations; instead of deploying once per week, month or quarter these organizations are deploying several times per week or day. This is a practice that we have adopted at IT Glue. In the way traditional operations has struggled to keep up with the rapid delivery of software, traditional security approaches can no longer scale to ensure system security is maintained; instead the current environment has created the need for a new security model: The DevSecOps.

DevSecOps create continuous security

In order to deploy many times per day DevOps organizations, such as IT Glue, leverage automation in the form of continuous delivery systems, which ensures code quality and deploys to production environments without human intervention.

DevSecOps applies these principles to security. Instead of manual penetration testing, vulnerability scanning, and scheduled system patching, these activities are automated and built into continuous delivery systems, creating continuous security.

Implementing DevSecOps at IT Glue 

Here at IT Glue we leverage Jenkins for our deployment pipeline. Every Git commit triggers a build which tests security and functionality of IT Glue using tools like Amazon Inspector and Selenium. These tools help us ensure that our systems are always patched, vulnerability scanned and functioning before deployment. 

Here is the Deployment Pipeline at IT Glue as an example:

To learn more about DevSecOps read the manifesto.