DevSecOps vs DevOps: What’s the Distinction?

On this article, we’ll clarify what DevSecOps is, the way it differs from DevOps, and what safety controls it ought to ideally incorporate.

What’s the Distinction Between DevOps and DevSecOps?

The best approach to clarify the distinction between DevOps and DecSecOps is to take a look at their definitions side-by-side.

DevOps is a mix of improvement and operations meant to allow engineering groups to develop software program extra rapidly and effectively. The final word goal is to create a extra agile improvement lifecycle that enables organizations to rapidly construct and replace software program functions and property, offering a greater buyer expertise and a big aggressive benefit.

A easy DevOps pipeline appears to be like like this:


DevSecOps is a mix of improvement, operations, and safety. It goals to completely combine safety parts into DevOps pipelines—sustaining velocity and agility whereas guaranteeing software program is resilient to cyber threats. The safety workforce sometimes helps the “Sec” in DevSecOps—however engineering groups take final accountability for guaranteeing the code they produce is safe.

Each DevOps and DevSecOps pipelines sometimes embody a excessive diploma of automation to allow quick, correct improvement that helps enterprise targets with out sacrificing software quality.

There’s an argument that DevOps and DevSecOps are the identical issues. Famend DevSecOps speaker Larry Maccherone has typically described safety as a element of software program high quality. In different phrases, if a software program asset is insecure, that must be thought of equally necessary in comparison with an asset not performing as meant.

Whereas this argument has some clear logic, in observe, most individuals think about DevSecOps to be the correct time period for a DevOps pipeline that features built-in safety.

Why is DevSecOps Vital?

Right this moment, organizations depend on a fancy array of on-premise, cloud, and hybrid infrastructure to allow their operations. This complexity is compounded by constantly creating new and up to date software program functions, microservices, and cloud containers for organizations that develop software program in-house.

Each time an internet-facing asset or element is created or modified, there’s a threat {that a} vulnerability or misconfiguration may go away it weak to assault.

Dashing up improvement, automating parts of utility supply, and different complexities like breaking software program into microservices solely compound this threat. It’s straightforward to make minor errors throughout the improvement course of, leaving an asset large open to primary cyberattacks.

Equally, trendy engineering groups use numerous instruments to automate associated duties comparable to organising and sustaining servers, containers, code repositories, and picture registries—all of which may also be left weak.

In the end, DevOps pipelines present clear enterprise worth however are additionally a considerable supply of threat. Because of this the “Sec” in DevSecOps is so necessary. With a lot on the road, securing software program and improvement structure can’t be an afterthought—it have to be designed into the event course of.

What’s DevOps Safety?

It’s straightforward to say, “build security into the DevOps pipeline.” However what precisely does that imply?

It means absolutely integrating numerous safety practices into the event course of to detect safety defects earlier than code is shipped into manufacturing. Defects comparable to:

  • Vulnerabilities (e.g., weak point to OWASP Top 10 threats)
  • Insecurely applied secrets and techniques and credentials
  • Incorrectly configured entry controls

Not all safety practices might be efficiently constructed right into a improvement pipeline with out considerably slowing issues down. Nonetheless, because the diagram under reveals, a DevSecOps pipeline can incorporate many safety processes, instruments, and providers:


The diagram above raises an apparent query: how do you construct slower processes like pentesting right into a improvement pipeline with out impacting time-to-market?

The reply: by separating safety practices into “in-band” and “out-of-band.”

In-band practices might be simply constructed into the pipeline with out inflicting vital delays. This consists of controls comparable to:

  • Safe coding practices. These are essential to attenuate the presence of vulnerabilities in written code. Whereas vulnerabilities might be discovered later, the workforce’s capability to push code rapidly depends on with the ability to write code that’s principally free from points from the outset.
  • Automated code scanners. SAST, DAST, and IAST scanners uncover vulnerabilities in supply code and compiled functions.
  • Peer code assessment. That is labor-intensive however necessary for locating vulnerabilities that will not be obvious to a machine, e.g., these attributable to logic points. Sometimes a peer code assessment could also be accomplished earlier than product launches and main updates, however not essentially for each code push.
  • Software program Composition Evaluation (SCA). These scanning instruments seek for vulnerabilities in dependencies comparable to software program libraries and open supply tasks.

Out-of-band practices are slower and occur alongside the event pipeline with out holding up code pushes. When outcomes from out-of-band practices can be found, they’re fed again into the pipeline to take away safety vulnerabilities from future releases. Out-of-band practices embody:

  • Pentests and safety assessments. These can take days or even weeks to finish however are essential to make sure the safety of a software program utility or asset.
  • Bug bounty and Vulnerability Disclosure Applications (VDPs). These are steady safety data sources that may simply feed into new code pushes.

Mixed, in-band and out-of-band safety practices considerably cut back the chance of transport weak code—which in flip can considerably cut back a corporation’s cyber threat.

Discover Extra Excessive-Danger Vulnerabilities with HackerOne

The vast majority of in-band safety controls in DevSecOps pipelines are automated. Normally, human intervention is simply too gradual to be a required element of each code push.

Nonetheless, most out-of-band practices are human-led. Whereas slower, these practices are important to uncover extra advanced (however nonetheless high-risk)  vulnerabilities, misconfigurations, and enterprise logic points {that a} malicious actor may exploit.

HackerOne gives entry to the world’s largest neighborhood of moral hackers, who possess the broad vary of expertise and experience wanted to uncover high-risk vulnerabilities in software program property. A mix of steady testing through a bug bounty or VDP plus time-bound safety assessments will help any group discover and shut safety points—each earlier than and after new code is pushed to manufacturing.  Growth-led organizations like Shopify and PayPal depend on HackerOne to assist hold software program property safe with out delaying their improvement pipelines.

HackerOne’s Attack Resistance Management Platform closes the assault resistance hole—the distinction between property you recognize and might defend and the unknown and unprotected—by constantly enhancing visibility and remediation throughout your evolving assault floor. We assist you obtain assault resistance. Contact us to be taught extra.

Author: HackerOne
Date: 2022-06-23 12:00:00

Source link



Related articles

Alina A, Toronto
Alina A, Toronto
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.


Please enter your comment!
Please enter your name here