DEV Community

Cover image for From DevOps to DevSecOps
Phatsawut Duangkaew
Phatsawut Duangkaew

Posted on

From DevOps to DevSecOps

#devops #developer #webdev #programming

Recently, I had the opportunity to attend the PSU Cybersecurity and Data Privacy Days 2. One of the sessions that caught my attention was "Accelerate Modernize Applications with Nutanix AI Platform," presented by Khun Surak Thammarak from Nutanix (Thailand) Ltd.

During the talk, Khun Surak presented a slide detailing a "Software Factory - DevSecOps with GitOps”. A thought immediately came up to my mind. We often hear about "DevOps," but what was this "DevSecOps"? What did the "Sec" part add?

That single question sent me on a learning journey. I decided to dive deeper into the topic, and I'm writing this blog to share what I discovered and explain, in simple terms, what DevSecOps is all about.

What is DevOps?

Before we talk about DevSecOps, let's quickly talk about DevOps. For years, the team that writes the code (Developers) and the team that manages the running software (Operations) worked in separate parts. This often led to slow processes

DevOps changed that. It’s a culture and a set of practices that bring these two teams together. The goal is simple: to shorten the lifecycle of development and deliver high-quality software faster and more reliably. Think of it as turning a clumsy, multi-stage process into a single, smooth, automated assembly line.

Building Better, Faster, and Safer: A Guide to DevSecOps

Now, let's get back to the topic. DevSecOps takes the great ideas of DevOps —speed and automation— and adds a crucial ingredient : Security.

Instead of having a security check at the very end of the process (which is slow and expensive), DevSecOps integrates security into every single step. Think of it as a smart, automated factory for creating software where security guards are present on the entire assembly line, not just at the final gate.

Image description

Let's walk through the factory map from the presentation.

The Two Main Characters: The Developer and the IT Operator

Our story has two key players:

  • The Developer: Their job is to write the code that creates the features you use in an app.

  • The IT Operator: Their job is to ensure the app runs smoothly for everyone to use (that is what we call "production").

DevSecOps uses an automated process to connect their work smoothly.

Part 1: The "Building" Phase (Continuous Integration)

As soon as a developer writes new code and saves it (an action called a "commit"), an automated process starts running step-by-step behind the scenes.

  1. Code Check-up (By SonarQube): Imagine an expert reviewer who instantly scans the new code. This tool automatically checks bugs, security vulnerabilities, and quality issues. This is our first security checkpoint, ensuring problems are caught up early.

  2. Building and Packaging (App Build, Image Build): The code is then "built" and packaged into a secure, ready-to-go container. Think of it, like putting all the ingredients for a meal into a sealed box, complete with instructions. This container has everything the application needs to run.

  3. Storing the Box (By Harbor): This packaged container is stored in a secure warehouse, called a repository. It’s now an official software version that’s ready for the next step.

  4. Final Security Scan: Before it can be sent out, the packaged container gets one more security scan to make sure nothing dangerous was packed inside.

  5. Keeping an Eye on Things (By Grafana): Throughout this entire process, a monitoring tool acts like an inspector. If something fails, it immediately alerts the team so they can fix it.

This whole automated building and testing process is called Continuous Integration (CI).

Part 2: The "Release" Phase (Continuous Deployment with GitOps)

Once our software package is built and approved, it’s time to deliver it to the users. This part of the process uses a method called GitOps, where all automation is managed through a central code repository.

  1. The Operator's Command (Commit): The IT Operator makes a simple change in a configuration file — like updating the version number from 1.0 to 1.1.

  2. The Automation Watcher (By Flux): A special tool (Flux) is always watching this configuration file. As soon as it sees the change, it knows it's time to act.

  3. Automatic Deployment (Deploy Kubernetes): The tool automatically takes the new, approved software package and deploys it to the live environment using a system called Kubernetes, which manages running applications.

  4. Final Check (E2E Tests): Even after release, automated tests run to make sure everything is working as expected from a user's perspective.

This automated release process is called Continuous Deployment (CD).

Why Does This All Matter?

This DevSecOps approach, as shown in the presentation, is a game-changer:

  • Speed: New ideas get to users in hours or days, not months.

  • Security: With security checks built into every step (the "Sec" in
    DevSecOps), applications are safer from the start, not as an afterthought.

  • Reliability: Automation reduces the chance of human error, meaning
    fewer bugs and less downtime for users.

My curiosity about a single word on a slide led me to understand a whole new philosophy for building software. It’s not just about being fast; it’s about being fast and safe.

Top comments (0)