DevSecOps

DevSecOps relies on the developments and recommendations of the overall DevOps approach. The application of DevOps values ​ ​ to software safety means that security verification becomes an active, integral part of the development process.^[1]

DevSecOps provides for active security audits and penetration testing during aglie development. According to the DevSecOps concept, security should be embedded in the product during development, and not implemented at the stage of the finished product. The principles of DevSecOps encourage collaboration and require the transfer of work to security professionals as early as possible.

History

2024

Software developed in Java and C# was the most vulnerable

The AppSec Solutions team conducted a study of the most "vulnerabilities" in the development of Russian software and determined which of them provide the greatest scope for hackers. The company announced this on September 19, 2024.

Experts based on the AppSec.Hub product analyzed the DevSecOps metrics and identified the most common flaws in code and programming languages ​ ​ that lead to data leaks and increased risks of cyber attacks. The analysis was carried out on real anonymous data from customers from different industries in Russia in 2024. The study sample included observations of 98 development teams that worked on software development for the most important sectors of the economy. In particular, the study touched upon the development of companies in such areas as: financial sector, telecom, industry, fuel and energy complex and others. The goal was to analyze impersonal data and identify the most typical information security problems. Experts analyzed more than 140 million lines of code to determine the main safety risk density metrics. To calculate the metric, a weekly slice of data on the number of identified and uncorrected vulnerabilities was used.

Analysis of the data for several months showed that programming languages ​ ​ that use commands have different risks of vulnerabilities to cyber attacks. The highest risk density for software written with C# and Java. The smallest indicators are Go, Python, SQL.

Risk level table for different programming languages.

{{quote "To create malicious code, it is easier for attackers to use Java due to more dependencies in programming. Imagine two companies, one employing 50 people and the other employing 500. In which of them will attackers have more opportunities to find a "weak link"? Approximately the same principle works with programming languages. Java and C# are available in many libraries where you can find solutions for almost any task and at the same time are extremely popular with development teams, "said Anton Basharin, Senior Managing Director. }}

In contrast, Go, also known as Golang, is the safest programming language. Golang is a universal language developed by Google in 2007. It combines C/C + + speed and security with Python flexibility. Traditionally, the threshold for entering C/C + + is higher than in any other languages, which gives fewer vulnerabilities.

Any application usually combines several programming languages. The developer takes several languages ​ ​ to develop the interface, server part and component interaction. The rating of the "security" of programming languages ​ ​ helps to understand in which area there may be critical vulnerabilities, where you need to conduct a risk assessment first of all.

What prevents the introduction of DevSecOps in Russia - TA opinions

The active course on import substitution of digital technologies, which Russia took after falling under Western sanctions, as well as the expansion of regulatory requirements led to an increase in demand for software secure development in the country. However, the implementation of DevSecOps is hampered by several factors. Market participants told TAdviser about them in July 2024.

Positive Technologies considers the lack of a developed culture of secure development in Russia a key barrier to the widespread adoption of DevSecOps practice.

In some cases, companies still see information security as something that can be "screwed" in the last stages of software creation, and not as an integral part of the entire cycle. This thinking has taken root since the days when only the public sector and banks were interested in security issues, and most other industries simply did not take it seriously, "said Sergei Belov, head of the Positive Technologies banking system security research group.

𝓲

Unsplash

According to him, the introduction of DevSecOps is hampered by a lack of specialists and bureaucratic organization of processes within companies. Irina Bibik, head of the QA department of the IT company SimbirSoft, agrees with the personnel problem: not everyone can afford to have a DevSecOps engineer on staff. At the same time, according to Bibik, Security Champion, an employee who understands current security requirements, who already has tasks to configure processes and infrastructure for standards, is usually enough to implement DevSecOps practices.

According to Solar appScreener Solar Group of Companies Anton Prokofiev, an expert on software security control, finding an experienced specialist in DevSecOps is a non-trivial task. Therefore, companies often have to raise experts within the organization, which requires time and resources.

DevSecOps specialists can earn 300-400 thousand rubles, knows Anton Morozov, head of information security development at Maksoft. Not every company can afford such professionals. In addition, as Morozov notes, the components of secure development of need to be introduced into the process from the very first steps, and if the software production system has already been debugged, it seems too energy-consuming.

As a rule, the cost of DevSecOps specialist is quite high, confirms the head of the information security department Linx CloudGeorgy Belyakov. Their large salaries are due to the need to have a fairly wide experience in working with containerization and orchestration systems, deep knowledge of modern techniques that differ from classical practices used in the field of information security, he explained.

In addition to the general personnel problem of recent years, DevSecOps is overlaid with the complexity of training specialists. According to Yevgeny Barsukov, head of SDET at IT company SimbirSoft, despite the fact that universities have a training profile in the field of information security, it often has a fairly common vector, while DevSecOps has a relatively narrow specialty.

Many experts interviewed by TAdviser, speaking of factors restraining the introduction of DevSecOps, drew attention to the following aspect: company leaders do not always understand the value of such practices. This is partly why they may be repelled by the prospect of increasing the cost of software production with the introduction of the DevSecOps approach, said Evgeny Kalashnikov, head of the Engineering Tools stream of the Sphere platform. Tools that really meet all the requirements of secure development, help you find vulnerabilities and work with different databases, are quite expensive. However, as practice shows, these costs are incomparable with information security risks, which may be in the absence of proper attention to this issue, he explained.

According to Andrey Malov, Product Director of TransTeleCom Regional, not all companies have matured to such technological solutions as Kubernetes or flexible development pipelines and, therefore, simply do not know why they also need "some kind of DevSecOps." This technology still needs to be evolutionarily grown - and only then, realizing its need, start using it, he is sure.

Many companies work in the old fashioned way: developers by themselves, information security specialists by themselves, system administrators are also separate. Often, in attempts to unite this, all companies face one of the answers: "We have always done this, why change something?" You have to convince not only the management, but also the employees themselves, - said Nikita Moskvichev, technical director of SecWare.

A separate story is regulators, some of their demands hardly fall on the DevSecOps methodology. As Lev Nemirovsky, a lecturer at the HSE Faculty of Computer Science, emphasized, strict regulatory requirements that force companies to follow various standards for security and data protection can complicate or slow the introduction of DevSecOps practices.

Maxim Demidenko, head of the microservice infrastructure department at fintech company Rowi, believes that by mid-2024 there are practically no companies left in Russia that can offer software for the implementation of DevSecOps. Also, the interlocutor of TAdviser highlighted the problem of high software costs, and therefore, according to Demidenko, companies prefer to look for open-source solutions that at least somehow allow the company to close the needs for building a secure development.

Kirill Semion, General Director of the National Competence Center for Holding Information Management Systems (NCC ISU), notes that when organizing procurement procedures for companies with state participation, the presence of a requirement for the developer to use DevSecOps may be considered redundant and the procedure may be challenged. In addition, according to the interlocutor of TAdviser, the introduction of DevSecOps into development is impossible without the introduction of automated code validation mechanisms. This leads to an increase in the cost of the development itself for the consumer.

According to Dmitry Grednikov, Deputy Director General for Technological Development of Innotech, overcoming barriers for DevSecOps requires an integrated approach, including personnel development, additional investments in the purchase of specialized tools and technologies, and the development of clear implementation strategies.

2023

The Ministry of Digital Development replicates DevSecOps secure development technologies on key state IT systems

As of the end of November 2023, DevSecOps technology was introduced for critical State Public services systems, the Unified Identification and Authentication System (ESIA), the Interdepartmental Electronic Interaction System (CMEV), and over time it will be extended to other e-government infrastructure systems. This was reported to TAdviser by the Ministry of Digital Development and Communications of the Russian Federation.

DevSecOps technology involves the addition of web development technology with continuous integration of new components and their painless installation (CI/CD pipeline) of code security verification mechanisms: static (SAST) and dynamic (DAST) vulnerability scanner, component dependency control and built-in secrets, load testing and fuzzing mechanisms. These mechanisms allow you to detect errors in the web application even before they are published, which allows only web components that have already passed the initial security check to be used for mass use.

DevSecOps technology is often represented as an infinity symbol with separation into corresponding stages

{{quote 'For departmental systems, a similar methodology is offered by the State Center for Security Analysis of Mobile and Web Applications of State Information Systems, - explained for TAdviser in the press service of the Ministry of Digital Development. - In the Center, the analysis is carried out both using domestic tools for checking the source code of the software (Solar appScreener, "Svace," "DAST appScreener," "Crusher"), and manually with the involvement of experts in the field of information security. Since December 2022, more than 200 mobile and web applications of state information systems have been analyzed. }}

The State Center for Security Analysis of Mobile and Web Applications of State Information Systems^[2] (GCA) was created on the basis of the Research Institute "VOSKHOD" in 2022. The purpose of its creation is to increase the level of security of information systems by providing services to identify software vulnerabilities, including mobile and web applications, including government information systems. Moreover, the functions of the center include not only searching for vulnerabilities in mobile and web applications of state IPs, but also interaction with their operators and customers, the purpose of which is to increase the security of such systems.

In addition, work is underway to create a secure development pipeline on the GosTech platform, the press service of the Ministry of Digital Development said. - The pipeline will increase the level of security of the platform and government information systems operating on it by identifying and eliminating software flaws and vulnerabilities at all stages of the software lifecycle.

And since it is "GosTech" in accordance with the decree of the President of the Russian Federation No. 231^[3] will become the basis for federal, so for regional government systems, the introduction of DevSecOps in this platform will fully provide technology with all the most significant state IPs and thereby improve the security of the web resources of the Russian Federation as a whole.

Moscow region introduces progressive information security practices: DevSecOps, cyber training and bug bounty

The Information Security Center of the Moscow Region in mid-November announced a tender for the introduction of DevSecOps secure development technology for its state information system "Portal of State and Municipal Services (Functions) of the Moscow Region." The project also involves the provision of services for organizing cyber training, conducting a program to search for vulnerabilities and assess the level of security of information resources in the Moscow region. More

See also

• DevOps
• Agile software development
• Agile in Government Project Management
• Value Stream Management (VSM)
• Scrum
• Kanban
• Lean
• Super sets, relay races and racing on high-speed sports cars - sports agile approach to the project execution process

Notes