Well, it’s all about automation. As your organization grows, its footprint of products it sells expand, and the number of tools and service providers it deploys increases. As a result, achieving compliance and receiving successful audit reports becomes more difficult. You reach a point where you realize that a manual ad-hoc approach has to give way to a more sophisticated automated one to reduce overall risk to the business and avoid costly compliance gaps.
Before we go into more detail here is a brief grounding on what these terms mean.
DevOps
DevOps is a set of practices that combines software development (Dev) and information-technology operations (Ops) which aims to shorten the systems development life cycle and provide continuous delivery with high software quality
(courtesy: Wikipedia)
SecOps
SecOps is a practice by which security teams continuously automate security tasks and their ongoing Execution, Testing, and Reporting. The aim is to reduce manual dependence in a fast-changing environment, reduce risk and improve overall security posture.
DevSecOps
DevSecOps is the practice of combining SecOps with DevOps. This ensures that security tasks are embedded early in the deployment lifecycle of an application and that security is incorporated as a part of regular application development.
How does it all matter for compliance?
DevSecOps can play a very critical role in automating your security controls especially the ones which are at a daily or weekly frequency such as
- Configuration checks of WAF ( Web Application Firewall ) setup
- Elevated access validation for live database servers
- Source code review for security gaps
These controls can be continuously tested and reported and results reported for compliance purposes. By embedding control tests and reporting of its status as a part of the development lifecycle or an automation workflow ensures that the health of the control is continuously reported to the control management systems and crucial evidence is collected automatically. Developers also are onboard of their compliance responsibilities while they use the tools of their liking and preference. Continuos automation of security controls using DecSecOps practices significantly reduces audit time risks and greatly reduces ongoing compliance costs.
We do see organizational challenges which would inhibit automation of security and controls in line with DevOps to assist and fast track compliance but as business risks grow organizations will pay more attention to DevSecOps