DevSecOps: security throughout an application's lifecycle
Automatically integrated security at all levels and lifecycles of software development. This is what the so-called DevSecOps approach promises, a name that at first glance is unfriendly, but is basically the abbreviation of the words development, security and operations, in English. This concept identifies flaws and vulnerabilities in code early and reduces security risk without disrupting agile development schedules.
On the contrary, it offers greater speed and agility in deliveries, with the ability to respond immediately to possible adjustments, without the need for human intervention. What, in traditional projects, would take days or weeks of work, using the DevSecOps methodology, can be measured in minutes. Sérgio Leal Fonseca, Systems Development coordinator at RNP's Specialized Digital Services Unit (USDE), exemplifies: “Updates of solutions that traditionally require windows of hours with the application down and the allocation of multiple professionals can be carried out in a transparent way, without impacting the end user and with low team allocation”.
Security, check! Agility, check! Other advantages offered are higher quality of the final product, thanks to the standardization, automation and improvement of processes established by DevSecOps, and a significant reduction in the cost of an application, in the medium to long term, in an average savings of at least 50% in costs with hours worked by professionals and 70% in cloud costs.
For the teams involved, there is also an impact with the adoption of the approach, which promotes a culture of collaboration and continuous and flexible communication between security, infrastructure and development teams, in a more stable work environment, with greater predictability. With task automation, team members are also freed up to work on more strategic tasks.
“Okay, and how to implement this method?”
That's probably the question that comes up after we have this concept and its benefits in mind. And the National Education and Research Network (RNP) responds with a solution: DevSecOps In a Box. A bet by the organization to enable any interested institution to start using the method quickly, efficiently. The creation of RNP consists of a package that includes a wide set of tools and processes that facilitate the adhesion of DevSecOps in the process of developing digital platforms.
This package has already been implemented in several digital solutions developed by RNP, such as the Internet Brazil project, the Single Access Portal and the platform of the National System for the Management of Genetic Heritage and Associated Traditional Knowledge (SisGen), initiatives sponsored respectively by the Ministry of Communications (MCom), Ministry of Education (MEC) and Ministry of Science, Technology and Innovations (MCTI). These initiatives went through the stages of conception to production in less than two months. Without DevSecOps In a Box, the time required for the same job would be a minimum of six months. That is, a reduction of almost 67% in the term.
For Marcello de Jesus, Deputy Director at USDE, DevSecOps is a natural and “no way back” evolution in the way organizations approach security in the realm of software development. “DevSecOps In a Box is an excellent opportunity for RNP to support its customers in the evolution of the software development process and infrastructure management as code. The client can visualize in practice how the whole concept works. DevSecOps In a Box is a powerful instrument to support IT teams in the transition from the traditional development and operation process to a more modern, intuitive process with a totally innovative approach, providing a radical change in the culture of how to do things”.