F5 security experts talk about DevSecOps: security by design

If someone asks, "What is changing the technology ecosystem in this era?", the answer may be the Internet of Things (IoT), artificial intelligence (AI), robotics, or something new that is about to emerge. But for those who have experienced the continuous iteration of technology, the next new thing is not just an abstract concept, but a method that can drive the current "application-driven" global economy. It is DevSecOps (short for development, security, and operations). Recently, Shahnawaz Backer, a security expert in the Asia-Pacific region of F5, shared the concept of achieving security based on DevSecOps in a technical blog.

Research results from well-known research organization Infoholic Research show that in the next few years, the global DevSecOps market is expected to grow in the Asia-Pacific market, especially in China, Singapore, Japan and India, which also reflects the growing attention to DevSecOps platforms.

DevSecOps advocates integrating security into the development workflow from the beginning. In other words, DevOps merges software development and operations, eliminating silos as a culture, allowing for rapid improvements and improved performance.

“Security by design” was once considered a concept that was often over-promoted by technology providers and was therefore often questioned. In a DevSecOps platform, security is fundamentally implemented.

Where does DevSecOps fit into the DevOps landscape?

F5 believes that DevOps requires a new mindset to embrace this new approach to software development. DevSecOps is a methodology that requires practitioners to prioritize security in the continuous integration and delivery (CI/CD) process. The reality is that many developers are not security experts, and vice versa, many security experts do not do development work.

So, how can security be better integrated into the software development life cycle (SDLC)? F5 security experts pointed out that in a DevOps environment, application development is usually a fast-paced and dynamic process. For this problem, it is also necessary to use security testing tools and practices that are used to help organizations keep up with the progress.

Today, the application environment faced by enterprises is becoming more and more complex, and the update iteration of applications has been greatly improved from once a year to almost every day. Since DevSecOps processes are not always simple, IT departments need to delve into their channels to understand the types of information and potential vulnerabilities that may subsequently appear, and then obtain the measure of success.

DevSecOps requires that ensuring IT security and application security becomes everyone's responsibility, from the security testing tools used to having the security team involved in early communications with customers, reflecting its requirements throughout the entire life cycle.

The challenge of safety and speed

Another problem that DevOps practitioners encounter when they first get involved in DevSecOps is the speed issue. For example, when deploying application security tools (AST), IT teams usually want to leave ample time for execution to ensure its reliability. However, this will become a small flaw for organizations that require speed and agility. Organizations need to consider and minimize the impact of time costs.

There are also practical issues, such as ensuring that tools and techniques work best in containers, and even ensuring that the AST tools used do not negatively impact the scalability of containers. However, this may happen if the AST tool's image has a large footprint or relies on data that must be stored in the container. However, AST tools also take time to run, and they can slow down the entire CI/CD pipeline.

Interestingly, the CI/CD pipeline has never conceptually prioritized security as a performance priority, but rather speed and convenience. With the introduction of DevSecOps concepts and methods, everyone in the development process has the responsibility to ensure security. However, this leads to slow development, and as a result, this approach is seen as a roadblock to innovation. In fact, only by putting security first can IT organizations avoid losses and damages caused by security risks.

Finally, F5 security experts remind that due to the fast iteration characteristics of DevOps, people should pay attention to its speed of improvement and regard security as a "must-have feature". Because today, security is no longer just a "key performance". Before DevOps and DevSecOps are fully integrated, the latter will serve as a temporary branch in various environments to highlight the role of security in application development.