DevOps is a cultural and professional movement that stresses communication, collaboration and integration between software developers and IT operations professionals while automating the process of software delivery and infrastructure changes.
To better understand the DevOps culture, you can also refer to CAMS model developed by Damon Edwards and John Willis, authors of the famous Podcast DevOps Cafe.CAMS stands for Culture, Automation, Measurement and Sharing. These are all important principles in implementing DevOps.
If DevOps entails automation and collaboration of Development (Dev) and Operations (Ops) processes,DevSecOps goes a step further - driving the adoption of Security (Sec) measures. The collaboration between Dev and Ops is a more natural one, whereas Dev and Sec teams typically had contending objectives. Development is geared towards being agile and executing frequent releases, while Security with its auditing and vulnerabilities tracking by nature, inadvertently holds back development.
So how do we accelerate without compromising on security guard rails?
Incorporate security right from the beginning in the DevOps journey. When security is not part of DevOps, it loses transparency in the production cycle.
Hence, we have a three-way hybrid called DevSecOps which inserts security into the DevOps team, and hands over responsibility for the automation of security tools and their integration into the Software Development Life Cycle (SDLC).
The two important elements in DevSecOps are - Continuous Integration & Continuous Delivery.
Continuous Integration (CI) – A software engineering approach where developers merge the code into a shared code repository frequently and then verified by automated build and testing.
Continuous Delivery (CD) – Produce software changes in short cycles, where the software is kept in releasable state and can be released on demand.
This playbook will share more practical best practices on CI/CD.
This is a natural progression model in DevSecOps maturity. Every agency is different and the pace of implementing DevSecOps also varies. This model serves to guide agencies to navigate up the maturity model depending on their current state.
You can see how DevSecOps sub-domains map with the DevSecOps maturity model. For example, Development sub-domain is mapped to the Source Code Management while Build & Test sub-domain is related to the Continuous Integration and so forth.
Note: There are some hyperlinks to the intranet, and these are meant only for Singapore Government Public Officers.
Now that you have seen the base concepts, let's look at how this playbook is structured. The chapters are directly aligned with the IM8 DevSecOps policy under Application Development Security and offers practical recommendations on how to adopt the policy from clause 6.1 -10.1. We will be indicating the clauses relevant to that section [# Clause Reference number]