Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What is DevSecOps and How Does it Create a Holistic Cloud Security Environment?

Published 01/29/2022

What is DevSecOps and How Does it Create a Holistic Cloud Security Environment?
Written by Nicole Krenz, Web Marketing Specialist, CSA.


What is DevSecOps?

In the past, security needs were only addressed after application deployment or after security vulnerabilities were exploited. Businesses are now requiring a stronger collaboration between the development, security, and operational functions. Different combinations of security tactics have become a functioning part across all developments. Here are the various terms you should know:

DevOps

The application of software development methodologies to infrastructure operations.

DevSecOps

The integration of continuous security principles, processes, and technologies into DevOps culture, practices, and workflows.

DevOpsSec

The application of information security principles to protect processes that utilize DevOps culture, practices, and workflows.

SecDevOps

The application of DevOps culture, practices, and workflows for the achievement of information security and compliance management.

Building a Holistic Framework with DevOps

Integrating DevSecOps practices with the essential concepts from Agile is an information security management strategy that is dynamic, interactive, effective, and holistic.

Concepts of Agile software development practices have given rise to infrastructure operation practices such as continuous delivery, software-defined infrastructure, and infrastructure automation. The application of Agile and Devops blends the borders between software development and service infrastructure automation.

Here are three major aspects of how DevOps principles can help achieve a holistic approach for information security management:

1. The Impact of DevOps Practices on Information Security

While DevOps practices improve the management and operations of information security processes, the execution has to be secured. Specifically, organizations have to ensure that DevOps practices don’t compromise information security. This is called “DevOpsSec” or “DevOps security”. Inherent security requirements in DevOps processes must be considered in the adoption of DevOps within an organization.

2. The Application of DevOps to Security Operations

DevOps provides powerful concepts that link development and infrastructure operations, and can be integrated to facilitate the achievement of information security within an organization. “DevSecOps” or “DevOps for Security Operations” applies DevOps to enhance the efficiency and effectiveness of information security processes to facilitate the comparable paradigm shift of DevOps on infrastructure operations to security operations.

3. The Implementation of Information Security Processes and Compliance Delivery Through DevOps

“SecDevOps” or “Security DevOps” integrates and facilitates collaboration of development with information security processes. A common result is the automation of information security processes, accompanied by allowing development processes to stay up to date with security implications and deliverable feedback.

Conclusion

The implementation of DevSecOps, DevOpsSec, and SecDevOps practices in an organization provides an excellent start to attaining an information security management strategy that is dynamic, interactive, effective, and holistic. This strategy provides a set of easily understandable principles that affect an organization’s cybersecurity posture, and is especially suitable for operating under resource and personnel constraints in today’s challenging cybersecurity landscape.


Learn more about secure DevOps by reading the research document Information Security Management through Reflexive Security from our DevSecOps Working Group.

Share this content on your favorite social network today!