DevSecOps can be defined as the longstanding practice of DevOps with the security of systems as a central tenant. With traditional DevOps, developers have found ways to make the software development lifecycle much easier. One common practice, continuous integration and continuous deployment or CI/CD, automates the manual steps of testing and deploying new versions of code which saves countless engineering hours that can then be used to further enhance the product.
While DevOps has rightfully gained traction across many software development teams, security is often overlooked because “it gets in the way” of shipping features. This paradigm that DevOps somehow conflicts with security has lead to weak software practices like storing application secrets in code or allowing anyone in your company to see the builds. As a result, DevOps has introduced new threat vectors that make a company and its proprietary software and data needlessly vulnerable. For instance, Jenkins, a commonly used, open-source, CI/CD server that teams use has been a frequent target of hacks.
We recommend that instead of thinking of the practice of DevOps as specific to the speed of development, security should be considered a main tenant in how teams ship new versions of their software, hence the term DevSecOps. Speed, while important, is no good if it means all of your hard work can fall into the wrong hands. Furthermore, implementing security best practices is not the time-drain or resource hog that it is often made out to be.
To save time and speed up your security, you can use a third-party CI/CD provider such as CircleCI, and a data-security vendor like CryptoMove, to deploy your own DevSecOps pipeline with considerably fewer resources than a Jenkins server. CryptoMove works by storing your sensitive data with moving target defense, a patented technology that keeps your data moving, making it much harder for an attacker to pin it down. CircleCI works by managing your build-and-deploy servers so all you need is a config file written in YAML which declares the commands used to test and deploy new versions of your software. Both CircleCI and CryptoMove can be deployed “on-prem,” which leverages a company’s network for added security.
You can use both CryptoMove and CircleCI together with the CryptoMove orb. With this orb, you can store sensitive data like API secrets and database passwords in CryptoMove and dynamically pull them in your CircleCI builds and deploys. CircleCI jobs are ephemeral, or short-lived, which means that after your build is complete, your sensitive data is garbage collected. This removes a critical attack vector hackers have previously used to access sensitive information.
As with all security, both physical and in code, a good, solid infrastructure requires implementing a lot of iterative steps to safeguard your data. However, this does not mean that implementing these controls gets in the way of your software development lifecycle. Instead, you can accomplish both with a robust DevSecOps paradigm.
This post is a part of a series we produced covering DevSecOps. To read more posts from this series, click one of the links below.