CHAPTER 1
Introducing DevSecOps

WHY DEVSECOPS? WHY NOW?

DevSecOps provides the ability to deliver more secure products and services to the market rapidly. For decades, technology engineers have sought to balance the speed of delivery with security and performance. DevSecOps fundamentally alters this equation, allowing companies to deliver at speed without compromising security, privacy, or system performance.

Technologists have long struggled with the balance of quality and speed, attempting to answer the question, "How do we deliver products to market quickly without sacrificing security?" With DevSecOps, you finally have that answer, and that answer lies in collaboration. DevOps and, by extension, DevSecOps offer the promised holy grail of technology product development and delivery: the ability to build reliable, secure, and maintainable products without sacrificing speed to market.

DevSecOps provides a fundamentally new approach to security. This approach moves away from the gating approach of yesterday by shifting responsibilities earlier in the development pipeline. By working with developers, it is possible to integrate security across technical applications and services more easily. Through automation and education, one engineer can embed security practices in many applications. By ensuring that security practices are embedded earlier in the developments, you can reduce the effort it takes to build secure products. In effect, by taking a DevOps approach to security, you can reduce the friction of security and compliance and become a force multiplier for the security team.

Cybersecurity has never been a more critical issue than today. The number of cyber threats is continuing to grow. Today we face an increasing number of threats, and the breaches we are seeing have an even larger impact.

With the increasing prevalence of remote work and global teams, the attack surface is continuing to expand. It is no longer possible to simply secure the network perimeter; we must provide security at every level as we move toward approaches such as defense in depth and zero trust. Chapter 2, "The Evolution of Cybersecurity (from Perimeter to Zero Trust)," explores the evolution of the security model in detail.

In addition, we are seeing an increasing number of attackers and increasing sophistication of the attackers. The number of attackers continues to grow as the availability of tools to launch attacks has grown. The ready availability of attack tools means that it takes less skill to launch attacks. Today, a novice attacker can rent a fleet of zombie computers on the Dark Web and launch a distributed denial-of-service attack in minutes. In addition to the proliferation of attackers, we are seeing increasing sophistication of attackers. Today the primary threat actors include organized crime with cybercrime revenue estimated at $1.5 trillion in 2019, more than the revenue of Tesla, Facebook, Microsoft, Apple, Amazon, and Walmart combined.1 We also see nation-states leveraging cybercrime as a weapon of war.

To combat this increasing threat landscape, you not only need new tools; you need a fundamentally new approach. DevSecOps gives you what you need to combat these emerging threats. By taking a collaborative approach to security, you will be able to leverage the power of the entire technology organization to drive security rather than relying on a single team within that organization. In addition, technologies such as continuous integration and continuous development (CI/CD) allow you to integrate security directly into the deployment pipeline.

DevOps OVERVIEW

The people, process, and technology of DevOps advance the way that engineers build, deploy, and manage technical systems by bridging the gap between development and operations teams to get products to market quickly, while addressing the nonfunctional requirements such as stability and scalability. DevOps is a set of principles for delivering value to customers based on Lean principles and collaboration. While many people think of DevOps as a technology or set of technologies, these are really a means to an end. That is, these are simply tools used to better apply the principles of DevOps.2 DevOps includes the people, processes, and technologies used to deliver value to customers through technical products and services based on the DevOps principles.

DevOps is a set of principles for delivering value to customers based on Lean principles and collaboration.

Gene Kim, DevOps thought leader and author of The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win\ The DevOps Handbook: How to Create World-Class Agility, Reliability, & Security in Technology Organizations, and many other DevOps books, describes DevOps in an interview with Dynatrace, saying, "I think that's exactly what DevOps is. Take those Lean principles, apply them to technology value streams, and you end up with emergent patterns that allow organizations to do tens, hundreds, or even hundreds of thousands of deployments per day, while preserving world-class reliability, security, and stability."

Understanding DevOps as a culture or set of principles that focus on collaboration, you can then understand it as the interaction or collaboration among development, operations, and QA, as shown in Figure 1.1.

Figure 1.1 DevOps can be thought of as the intersection of development, operations, and quality assurance

Although there are many definitions of DevOps, the Three Ways of DevOps, described in Gene Kim's The Phoenix Project, as well as the CALMS model originated by Jez Humble, co-author of Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations and The DevOps Handbook: How to Create World-Class Agility, Reliability, & Security in Technology Organizations, provide two of the original models for understanding DevOps. These two models go a long way to explaining the principles underlying DevOps.

Brief History of DevOps

In 2009, John Allspaw, then senior vice president of technical operations at Flickr, and Paul Hammond, director of engineering at Flickr, delivered their talk "10+ Deploys per Day: Dev and Ops Cooperation at Flickr" at the O'Reilly Velocity Conference. They introduced many of the concepts of small batch deployment and collaboration between development and operations. The blog A Short History of DevOps states that "The talk becomes widely credited with showing the world what development-operations collaboration can achieve."3 That same year, the term DevOps was introduced when Patrick Debois launched the "Devopsdays" event in Ghen, Belgium. The concept took hold, and the first U.S. Devopsdays was held in 2010. Devopsdays was later shortened to the term DevOps that we are all familiar with today.

In 2013, Gene Kim, Kevin Behr, and George Spafford penned their book, The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win, which presented many of the underpinning concepts that make up DevOps today. At the same time, the "State of DevOps Report" was developed, which sought to determine DevOps best practices and their outcomes. The "State of DevOps Report" has become a staple of information for DevOps practices. In his blog post "A Summary of All of the State of DevOps Reports," Tom Geraghty writes, "The first report was in 2013, and showed quite clearly that adopting DevOps practices resulted in technological and business improvements."

DevOps continued to grow, and in 2014 we saw the increased expansion of DevOps into enterprise environments marked by the launch of the DevOps Enterprise Summit (DOES). DOES sought to explore DevOps at scale for large and complex organizations. That same year the group that would later develp the DevOps Research and Assessment (DORA) metrics teamed up with Puppet labs to find new ways of measuring DevOps and the results.4 These metrics were included in the "State of DevOps Report" from 2014-2017. The research and details about these metrics were published in Accelerate: The Science of Lean Software and DevOps: Building and Scaling High Performing Technology Organizations by Nicole Forsgren, Jez Humble, and Gene Kim in 2018.

While site reliability engineering (SRE) had been around for some time, it came into increased usage much later. The term was originally used at Google in 2003. The term grew in prominence in the DevOps world around 2015, and in 2017 LinkedIn named SRE as one of the most promising jobs of the year.5

It is only in recent years that DevOps has really begun to connect with security and DevSecOps has gained momentum. The 2017 and 2018 "State of DevOps Report" showed that DevOps helped improve security outcomes.

Today, DevOps is something almost every company is doing, from nimble startups to the Fortune 500. More and more the scope is expanding to cover security, and companies are seeing how the benefits of DevOps can be unleashed on cybersecurity through DevSecOps.

The Three Ways of DevOps

Gene Kim's The Phoenix Project provides one of the earliest and most widely read explanations of the key principles of DevOps. Based loosely...