DevSecOps

Building the Right Toolbox for a Successful DevSecOps Career

462 VIEWS

·

In the beginning, there were developers, and there was operations personnel. As our industry has evolved to support iterative development practices and rapid deployment support, we’ve had to adapt, and the natural evolution was the DevOps engineer — an engineer who could support the entire development process of an application, including quality assurance, deployment, and production support.

As security has become an increasingly important part of our development and infrastructure activities, a new evolution is required, and the result is the DevSecOps engineer. Security is everyone’s responsibility, and those implementing and supporting applications and services are also going to the best to ensure those applications and services are secure. In this article, I’m going to talk about what it takes to become a successful DevSecOps engineer, and I’ll share some of my experiences in taking on this emerging field.

What is DevSecOps?


DevSecOps is the combination of development, quality assurance, operations and security into a single, holistic process. The DevSecOps engineer is tasked with and is responsible for the full software development lifecycle. By combining all of these roles into a single role with complete responsibility for an application or service, engineers are forced to consider their solutions from multiple perspectives. Security and quality are baked directly into the design and development process, and the engineer completes the process with an eye to how the application is to be deployed and supported.

How My DevOps Journey Began

My introduction into the world of DevSecOps began with a new role on a DevOps team. If I’m candid, it felt a little like drinking from a firehose for the first couple of months. However, looking back, I wouldn’t change a thing, except perhaps to have prepared myself more beforehand.

As I became more engaged with my role as a DevOps engineer, the organization I worked for began to shift-left with their security strategy as well. Shift-left strategies related to testing and security are concerned with focusing on critical components earlier in the development process. Identifying quality concerns and security vulnerabilities earlier in the process reduces the cost of revisiting the design and development of software.

DevSecOps Starts with Design

When you build software as a DevSecOps engineer, you begin the design process with quality at the forefront of your mind. In my daily development activities, I generally build backend web services within a microservices environment. I’ve developed a particular fondness for API-First development principles. API-First development starts with the creation of an API document, which specifies the expected inputs and actions for a new service. The document also outlines the responses which the service returns on successes, errors, and failures.

A considerable benefit of this approach is that you have explicit instructions about how users are expected to interact with your new service before you write the first line of code. Most software bugs and security vulnerabilities come about from unexpected input and mishandling of invalid input.

Quality vs. Security

High-quality software is secure, and secure software is generally high in quality. The two outcomes are inextricably connected. Test-driven development is an approach which I have found invaluable within the development process to achieve this. With this approach, you begin the development process by writing unit tests for a specific function. The tests should include negative and positive use cases, and should all fail before the implementation of the function.

For example, if I were to be writing a Java function to parse a US zip code, I might create a series of unit tests that include the following:

@Test
public void testIsValidZipCodeUseCase1() {
   assertTrue(zipcodeService.isValidZipCode("90210"));
}

@Test
public void testIsValidZipCodeUseCase2() {
   assertTrue(zipcodeService.isValidZipCode("90210-0001"));
}

@Test
public void testIsNotValidZipCodeUseCase1() {
   assertFalse(zipcodeService.isValidZipCode(null));
}

@Test
public void testIsNotValidZipCodeUseCase2() {
   assertFalse(zipcodeService.isValidZipCode(""));
}

@Test
public void testIsNotValidZipCodeUseCase3() {
   assertFalse(zipcodeService.isValidZipCode("ABCDE"));
}

@Test
public void testIsNotValidZipCodeUseCase4() {
   assertFalse(zipcodeService.isValidZipCode("%%%%%-%%%%"));
}

@Test
public void testIsNotValidZipCodeUseCase5() {
   assertFalse(zipcodeService.isValidZipCode(EXCESSIVELY_LONG_STRING));
}

Once I have the tests written, I can then begin implementing my function to the point that all my tests pass successfully. The beauty of this approach is that I can implement any restrictions defined in my API documentation, and I can be sure that I implement just enough code to meet my requirements.

Go to the Dark Side!

One of the benefits of my job is working with a security team which actively promotes and enables teams to write secure code. Occasionally, they put on training events which allow us to compete against each other to hack into systems in a sandboxed environment. A common theme in all of these events is to encourage us to think like would-be attackers.

As engineers, we often get caught up in considering the use cases of our users, and how to simplify that process, and we forget those who want to attack our systems with malicious intent. Taking a step back, and considering how a “bad actor” might try to abuse our systems is an excellent practice in coding defensively.

Don’t Forget the Code You Don’t Write

Finally, it’s essential to consider the code we don’t write. Many of the solutions which we build are constructed on top of existing frameworks and might include third-party libraries. The use of third-party libraries can reduce development time, and in many cases, it allows us to use hardened solutions which have endured wide adoption and testing. Unfortunately, third-party libraries and frameworks don’t come with a guarantee of security.

Integrating a vulnerability management system such as Twistlock into your development process is an important security measure that further protects you against the potential risks of including third-party software in your solutions.

Resources to Advance Your DevSecOps Career

DevSecOps is an exciting career, and it is a job that continues to evolve and improve. If you’re looking to improve your DevSecOps skills, the learning resources in this article are a great place to start.


Mike Mackrory is a Fixate IO Contributor. By day he works as a Senior Engineer on a Quality Engineering team and by night he writes, consults on several web-based projects and runs a marginally successful eBay sticker business.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu