What is DevSecOps?
Develop the most secure applications possible, without sacrificing speed or quality.
DevSecOps is a methodology that calls for close collaboration among development, security, and operations teams throughout the software development lifecycle, such that applications are delivered with the highest levels of security, without sacrificing speed and quality.
Before defining the specifics of DevSecOps, it’s helpful to first identify why this movement exists. Let’s start with a common scenario:
A new mobile application is developed, tested, and ready to deploy. The development and operations (DevOps) teams have done an excellent job of planning and coordinating all phases of the software development lifecycle (SDLC), and have accomplished their goal of delivering the app within the allotted time.
But then, right before they ship, they remember that they must pass the app to the security team for a final security review. The security team finds a dozen vulnerabilities and compliance violations, many of them deeply embedded in the features and logic of the app.
The project grinds to halt while these security issues are addressed. Despite the joint development and operations team’s best efforts, the app release is delayed and will not ship until months after the promised release date. Frustration abounds, and blame is traded across the security and DevOps teams. To make matters worse, since security issues were not caught until after the app was ready to deploy, fixing them means a costly and time consuming rewrite of many parts of the application.
This is the exact problem that DevSecOps aims to solve. By advocating a few key principles and methodologies, DevSecOps is designed to ensure users and data are protected, while simultaneously meeting the business objectives around time-to-market and app quality.
Core principles of DevSecOps
In order to avoid the kind of last minute surprises, project slow downs, and hurt feelings articulated above, the DevSecOps model has defined the following core principles.
“Shift left” by bringing security into the early phases of the SDLC
Incorporate security as part of the initial phases of the SDLC, especially in initial design and development. The industry often uses the term “shift left” to signify that security should be factored in further to the left in a linear left-to-right time continuum.
One of the reasons that “shifting left” is so important is that it’s much faster and easier to fix vulnerabilities in the early phases of development—or even better, addressing them in the design phase before a single line of code is written. Alternatively, if issues are not caught until after the app is built, fixing them is often more expensive and can delay shipping.
Collaborate with security early and often
As the term DevSecOps implies, the way to see it through is by bringing the development (dev), security (sec), and operations (ops) teams together in a single unit, with healthy collaboration at every phase of the SDLC.
This is the opposite of the throw-it-over-the-wall scenario that we shared above. The goal is to make sure that all three teams are in continuous communication, so that information can be exchanged in a timely manner and last minute changes can be reduced
Build features securely, not just security features
Larry Macherone, author of The DevSecOps Manifesto, uses the analogy of a bank to illustrate the importance of baking security into all aspects of the app. In many Old Westerns, the robbers didn’t bother trying to get through the steel vault. Instead, they exploited the chief vulnerability of the bank: the brick and mortar outside walls. A few sticks of dynamite and they could access the bank vault with ease. The same holds true with applications. While many think of security in terms of encryption, authentication, and authorization (the vault), vulnerabilities are left in the code (the walls), leaving an app vulnerable to exploits.
The best DevSecOps teams understand this, and while making sure the vault door is as secure as it can be, they also look at how security can be integrated into every other part of the app.
Maintain security without slowing down development and delivery
Maintaining strict security standards shouldn’t come at the cost of speed and app quality. By leveraging automation and accounting for security as part of the initial design phase of the SDLC, you can avoid slow downs and make sure that the team can meet their security goals while maintaining the pace of development and delivery of the app.
How Ionic can help you embrace DevSecOps in your next mobile project
The Ionic platform is designed with enterprise security in mind. Here are a few ways you can leverage our products and services to help you meet your security goals, without sacrificing speed-to-market or app quality.
Code and architecture reviews with Ionic Advisory
Ionic Advisory customers have access to a team of mobile security experts who can ensure that your app is properly planned, developed, and implemented to meet rigorous security standards. That includes Code Reviews, where the team will review your code line-by-line to ensure that it meets the highest standards of security. In addition, the Ionic Advisory team offers Architecture Reviews throughout the SDLC, including initial planning, to ensure that you’re incorporating security as early in the process as possible.
Robust authentication and identity management
Ionic Identity Vault and Ionic Auth Connect provide best-in-class mobile security without the effort required to build and maintain your own authentication and identity management solution. These solutions are fully managed by Ionic, including ongoing updates and security patching, and can be implemented in minutes.
Securing user data on-device with encrypted mobile storage
One of the biggest challenges of securing mobile applications is physical security. Unlike a server-side application, where the hardware is stationary and typically well protected inside a secure data center, mobile devices are lost or left behind all the time. What happens if your users leave their phone on the train? How can you be sure that the data on that device doesn’t fall into the wrong hands? With Ionic Secure Storage, you can implement robust, military-grade encryption of local data, with fast querying abilities that ensure a high quality app experience.
Automated security testing
Using Ionic Appflow, a mobile CI/CD solution that helps to automate all phases of mobile app delivery, you can set up automated security testing that triggers whenever certain criteria are met. This helps to incorporate security early and often, so that you’re not waiting until after all the features are built, before validating the security and integrity of the application.
Secure build infrastructure and remote updates
Securing your application goes beyond the features and capabilities of the app itself. You also need to safeguard the infrastructure used to build, deploy, and update the application over time. Ionic Appflow provides a highly secure CI/CD pipeline to protect your project at every step. Our cloud infrastructure undergoes regular 3rd-party audits and penetration tests to make sure our customers stay protected at all times. We use best-in-class security practices to stay ahead of potential threats and vulnerabilities. Appflow provides a secure foundation for thousands of businesses, and is trusted by top brands such as H&R Block, T Mobile, Caterpillar, and more.
DevSecOps is a way of ensuring that application users and data are protected with the highest levels of security, without compromising development speed and app quality.
The core principles of DevSecOps include tight collaboration between the Development, Security, and Operations teams, such that security is fully integrated in all phases of the SDLC. DevSecOps is designed to address common failure modes that lead to last minute delays and frustration across teams, including (a) viewing security as a bolt on that is applied after the fact, rather than a core responsibility of application development team; and (b) not including security teams until after the app is already built, when it becomes more costly and time consuming to fix any security issues that might be identified.
By embracing the core principles of DevSecOps, enterprise teams can:
- Improve application security, properly safeguarding users and data
- Maintain speed of development and delivery of applications
- Ensure healthy collaboration across development, security, and operations
The Ionic platform can help teams accomplish these goals, offering a combination of expert help and advisory services, enterprise-grade security solutions that are fully managed by Ionic, and highly secure cloud infrastructure for safely building, deploying and updating applications over time.