DevSecOps: The What, Why, Who, and How

By way of a brief introduction, I have had a 25+ year career in technology, and this has come with some wonderful experiences and opportunities along the way. One constant throughout my journey has been a need to increasingly leverage data, enabling informed decisions (even automated) at all levels to ensure: secure, high performing and observable products and services are available to the customers and partners I’ve been supporting. 

For the last two decades or so, we have seen the evolution / innovation from Agile to DevOps, and even more recently, DevSecOps. In June 2022 at .conf22 in Las Vegas, we also spent a bit of time sharing a lot of these capabilities, and you may also want to reference these sessions and recordings, "4 DevSecOps Sessions at .conf22 You To Not Want To Miss."

This is the first blog in a series in which we will be providing more DevSecOps technical insights to inform you on how to adopt these practices for your own use.

What Is DevSecOps

First off, we should all recognize that, “DevSecOps is a practice.” However, with any practice, you also need capabilities to make this visible and a reality. These capabilities are what Splunk has delivered through iterative collaboration with some of our leading customers and partners.

Here are a few perspectives which help define the “what” is DevSecOps:

Gartner defines DevSecOps as, “DevSecOps is the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility or speed of developers or requiring them to leave their development toolchain environment.”

TechTarget defines DevSecOps as, “DevSecOps (development plus security plus operations) is a management approach that combines application development, security, operations and infrastructure as a code (IaaS) in an automated, continuous delivery cycle.”

TechBeacon Guide ‘DevSecOps and Security as Code’ opens with the statement, “The future is security as code. Find out how DevSecOps gets you there with our guide. Plus: Discover what DevSecOps mean to security professionals—priorities, training, and investments in technology and tooling—with SANS' report, "Rethinking the Sec in DevSecOps: Security as Code."

IDC defines DevSecOps as, “IDC's DevSecOps and Application Security researches the products, technologies, and automated security processes that are used to shift security to the left-hand side of the SDLC and that inject security into applications as part of the DevOps pipeline. This includes static, dynamic, and interactive analysis, software composition analysis, secrets management, runtime application self-protection, API security, container and Kubernetes security, and web application firewalls. It also includes the role of development tool vendors that offer code security services such as commercially supported and compliance-verified open source solutions.”

Accenture has a Case Study on their transformation to DevSecOps, “To meet Accenture’s growing business needs, the company is shifting to a new way of delivering information technology. This internal transformation focuses on optimizing the collaboration between development and operations, while embedding security into the entire process. Development, Security and Operations (DevSecOps) converges application development, security, infrastructure as code, and operations into a continuous, end-to-end, highly automated delivery cycle. Embedding security into the product development life cycle helps protect the business while maintaining speed and assisting to eliminate friction.”

Of course, with all things “as a practice” there is often great benefit from having some collaboration and shared insights and thoughts, so as to come to a common understanding and desired outcomes to a shared vision.

Why DevSecOps

Going from the above perspectives to driving some of the specific desired outcomes from DevSecOps, we have observed some key results, which are here.

1. Visibility
2. Resilience
3. Stability
4. Automation
5. Efficiency

Recently published global research “The Economic Impact of Data Innovation 2023” shares: Eight (8) key strategies for disrupting competitors, building resilience and gaining a 9.5% profit edge.

DevSecOps practices are certainly a way to build resilience across your organization, improving several of your KPI’s, and as seen in the research above DevSecOps can help you gain a solid profit edge.

A great starting point is to get all your teams aligned on your desired outcomes and key objectives for the coming months and years. This will enable your teams to understand where you are and the direction you are going, so you can drive the highest value as fast as possible across your organization.

Who Gets Value From DevSecOps

DevSecOps as a practice + the right tooling, delivers exceptional access and control of cross domain data. This in turn helps multiple teams across your organization to accelerate insights and results for your business 

DevSecOps enhances your ability to correlate and recognize outcomes perhaps not otherwise known or observed. With DevSecOps, speed and scale can be achieved across teams via process automation. 

Below are several DevSecOps use case examples for different personas across your organization. Each of these provide real value and results, so please leverage the below graphic as a reference point to start the dialog on how DevSecOps can benefit your organization.

We would love to continue the DevSecOps discussion with your organization. Over the past year we have worked very closely with our customers and organizations like yours to create iterative value of these capabilities. Through those initial interactions we have identified 15+ personas and 20+ use cases where we are currently delivering DevSecOps process and tooling improvement with these stakeholders. There is so much opportunity to expand on these use cases, and we’d welcome the direct interaction with your organization to help build out the next phase of DevSecOps solutions here at Splunk.

How To Achieve Outcomes With DevSecOps

To reiterate, DevSecOps is a practice that requires the appropriate processes and tooling to deliver results on the use cases and objectives your organizations establish. To help visualize the “how to start” with DevSecOps, we’ve provided 3 specific use case illustrations below. 

The below images visualize, some of the how within DevSecOps, highlighting: 

1. CI / CD Process: Leveraging Integrated Results Using Automation
2. Security: Shifting Left Included At The Start And Throughout
3. Speed: Accelerated To DevOps Velocity

Splunk provides observability across the entire DevSecOps practice and delivers actionable insights for development, operations and security teams. 

Secure your critical applications with Splunk Cloud and Splunk Infrastructure Monitoring 

• Make vulnerability scans visible: Measure the coverage, effectiveness and activity of your vulnerability scanning processes. 
• Visualize measures of success: Establish cross-team KPIs and metrics to measure the success and performance of DevSecOps practices. 

Secure your software delivery chain with Splunk Cloud and Splunk Enterprise Security

• Secure access to tool chain: Identify and alert on suspicious access and activity to your dev/test environments, tools such as CI/CD, secrets management, code repositories and other development resources. 
• Ensure toolchain uptime: Support resilience of your critical SDLC infrastructure such as CI/CD, secrets management, code repositories and artifact management. 

Secure production apps with Splunk Cloud and the Observability Suite

• Activate continuous verification: Alert on net new production vulnerabilities and activate remediation prior to their exploitation. 
• Break visibility silos: Thread production incidents back to originating code with full-stack monitoring. From user activity to infrastructure, Splunk APM and Splunk Infrastructure Monitoring correlate production activity to deployments. Full-stack monitoring delivers valuable context to Splunk’s On-Call incident response tool to reduce MTTI and MTTR.

Next Steps

Learn more now by checking out how “Splunk Elevates DevSecOps Strategy With Visibility and Action” in our 2-page Solution Guide. We look forward to continuing the DevSecOps discussion with you, and enabling you to provide insights and feedback so together we can create innovative solutions.

^{This blog post was authored by Todd DeCapua, Director of Solution Innovation Engineering at Splunk with special thanks to: Patrick Coughlin, James Brodsky and Paul Pelletier at Splunk.}