Article Preview
TopIntroduction
Initially software development process was bound to be the traditional waterfall model where a series of phases are executed in a cascaded manner, each step delivered a documentation and is used as a starting point of the next phase in interrelated manner. The completeness of this process and the implementation styles influenced the quality and speed of software development. Then emanated the idea of DevOps based on continuous delivery where the where each individual deliverable are tested and deployed. As the security concerns in software products increased, developers started identifying the needs of infusing security in to this continuous development and deployment process and started thinking of Security in DevOps or DevSecOps.
We moved from the concept of software as a product (SaaP) to software as a service (SaaS) in which the software is centrally hosted mostly on cloud and clients access it through a browser. This changed the entire software delivery concept as the software provider will be delivering improved versions after any updates and does not require to go through the delivery, implementation and maintenance cycle again. The entire exercise is to reduce this cycle time and incorporate faster feedback by introducing the concept of Continuous Integration (CI) and Continuous Delivery (CD). This was the evolution point of the concept called DevOps (Development and Operations). The driving force behind this adaption was the necessity of cloud adaption and software defined environments and hurried the introduction of DevOps concept.
This change in the software development process necessitated more collaboration and communication of development and operations team. DevOps came with a lean development methodology which joined the different processes in the cycle such as development, delivery and operations. This idea shifted the software development process from a distributed autonomous groups to cross-functional groups delivering continuous results (Ebert et al., 2016) and combining software development with other information technology operations. The systems development life cycle is reduced by delivering desired results and updating frequently in agile manner aligning closely with business objectives.
That was the time where the DevOps is getting stabilized, then next issue of security started bubbling up. The reason was the inability of the customary security techniques to maintain agility and speed to move along with DevOps. DevOps implementation automated the software development and deployment lifecycle and facilitated rapid software deployment and service. The predominant bias towards availability on DevOps made the practitioners think about how to integrate the other two aspects of CIA to the DevOps framework, confidentiality and integrity. (Myrbakken et al., 2017).
DevOps is based on the concept of fast deployment of software components to the user and may decline the security intensity in it. This will be worsened if the organizations itself is considering security as a barrier for fast development and deployment and don’t want the security testing to slow down the entire development and deployment process. Then they try to shift security to last phase of software development cycle (Filkins, 2016). This demanded the information security professionals to become an active participant in DevOps and maintaining the aspects of teamwork, coordination, agility and shared responsibility (MacDonald and Head, 2016). This initiated must require integration of modernized security methods to achieve optimized software development process. The practitioners realized the fact that DevSecOps is not just adding security to the CI and CD; but building security to the software to deliver compliances (Lietz, 2016) especially when the security needs to be aligned with the compliances of different regulatory standards.