The popularity of DevSecOps is on the rise, and for good reason. Embracing DevSecOps can help your team reduce risk, simplify compliance, and integrate security into your continuous integration/continuous delivery (CI/CD) pipelines. However, it isn’t always easy knowing where to start. Understanding what a DevSecOps pipeline looks like in practice or which tools are best for your team can be difficult.
In this article, we’ll explore the topic of DevSecOps pipelines to help you jumpstart your CI/CD security and compliance efforts.
What is a DevSecOps pipeline?
Just as DevSecOps culture integrates security into traditional DevOps thinking, DevSecOps pipelines layer in security throughout traditional DevOps CI/CD pipelines. As opposed to security being something that happens mostly late in the development cycle, it is an ongoing process in a DevSecOps pipeline.
In his swampUP Keynote The Divine and Felonious Nature of Cyber Security, John Willis calls out several important DevSecOps best practices to keep in mind as you build your pipelines:
- Treat security issues the same as software issues.
- Adopt a “security as code” approach to enable the automation of security.
- Build security controls and vulnerability detection into CI/CD pipelines.
- Automate security testing as part of the build process.
- Proactively monitor the security of production deployments.
Open source software and DevSecOps pipelines
In some ways, the surge in DevSecOps popularity is a logical progression from DevOps. Just as making operations a shared responsibility helps to improve application reliability, making security a shared responsibility improves overall security posture. However, there are some more nuanced reasons for the increased importance of DevSecOps, and the prevalence of open source software (OSS) is at the top of the list.
Today, open source components make up ~80-90% of modern applications. This is because there are significant upsides involved with using OSS software. For example, OSS components are often more secure, robust, and reliable than commercial alternatives. Additionally, using an existing OSS library or application is much more efficient than programming the same functionality from scratch.
However, while there are many benefits to OSS, there are also security and compliance challenges. Just one unpatched component vulnerable to a published Common Vulnerabilities and Exposures (CVE) exploit makes your application a prime target for hackers. Similarly, a single licensing issue can create compliance challenges that cost time and money to resolve.
How SCA tools enable security and compliance in DevSecOps pipelines
At this point, we can see there is a clear problem: how can you determine if the OSS components you use have known security vulnerabilities or use licenses that can create compliance issues?
Manually ensuring 3rd party OSS patches are up-to-date and no licensing issues exist is slow, inefficient, and error-prone. This becomes particularly true when you must manage multiple pipelines with a wide variety of OSS packages and dependencies. Because manual checks aren’t scalable, reliable, or efficient, development teams use software composition analysis (SCA) tools to scan code, containers, registries, and software artifacts for security vulnerabilities and license compliance issues. In many cases, advanced SCA tools enable continuous detection of security or compliance issues, custom alerting, policy creation, suggestions for issue remediation, and the triggering of automatic actions when issues are detected.
How can you ensure compliance in DevSecOps pipelines?
As you can see, SCA tools are a useful way to help mitigate the risk of using a variety of 3rd party OSS packages. However, how do you find the right SCA tool to enable security and compliance in your SDLC? There is no one-size-fits-all answer, but you should look for tools that natively integrate with your existing infrastructure, work across clouds and on-premises, provide in-depth analysis and reporting, and support all the package types used in your pipelines.
JFrog Xray – a DevSecOps pipeline solution — is an example of an SCA solution that checks all those boxes and more. For example, JFrog Xray:
- Is part of the JFrog DevOps Platform which delivers universal, hybrid, end-to-end DevOps automation.
- Supports scanning of all major package types and can intelligently unpack them (e.g. if Xray finds a Java application, it will analyze all .jar files used).
- Creates component graphs of your infrastructure which allow you to visualize the relationships between software components in your organization.
- Allows you to create granular policies and reports for security and compliance.
- Delivers a single pane of glass visibility into all security and compliance information related to your artifacts.
- Leverages vulnerability and compliance intelligence with VulnDB and other sources for metadata on vulnerabilities.
- Supports a wide variety of integration options (e.g. plugins for popular IDEs and CI tools, RESTful API, and a robust command-line interface).
- Provides continuous monitoring even after deployment to production.
- Is the only security scanning solution that natively integrates with JFrog Artifactory.
Final thoughts: getting started with DevSecOps
Now that you understand the basics of DevSecOps pipelines, you can begin to secure your CI/CD pipelines more effectively. By “shifting security left” and integrating security throughout your development cycle, you’ll increase the quality and security of the products you deliver while reducing the risk of compliance or licensing issues impacting your projects.