DevSecOps

The Evolution
of Software
Development
 Overview- What we’ll cover
 Introduction to SDLC
 SDLC in Waterfall Model
DevSecOp  Transition to Agile
s  Introduction to DevOps
 Evolution to DevSecOps
 Benefits and Challenges of DevSecOps
ntroduction to SDLC:
SDLC is a framework that provides a systematic approach to developing software.
It defines the life cycle of a project from its initial stages to completion.

Stages of the Software Development Life

Cycle:

User stories UML Diagrams

Implementing/ Product is built right

Creating Software
code Right product is built
(Source Code)
Deploying Software
to the desired Monitoring the
Operational software
environment
SDLC in Waterfall Model

It is the fundamental model of the software development life cycle. This is a very simple model. The waterfall model is not in
practice anymore, but it is the basis for all other SDLC models. Because of its simple structure, the waterfall model is easier to
use and provides a tangible output. In the waterfall model, once a phase seems to be completed, it cannot be changed, and
due to this less flexible nature, the waterfall model is not in practice anymore.
Transition to Agile
Agile Software Development Life Cycle (SDLC) is a modern approach to software development that emphasizes flexibility,
collaboration, and continuous improvement. It's an iterative process that breaks down the SDLC into smaller cycles, called
sprints or iterations, to deliver value incrementally.

The agile model in SDLC was mainly designed to adapt to

changing requests quickly (change plans based on feedback
and new priorities).
The main goal of the Agile model is to facilitate quick project
completion. The agile model refers to a group of development
processes. These processes have some similar characteristics
but also possess certain subtle differences among
themselves.
Agile Software Development and Waterfall

Real
Optimal
Value
Delivery

faster feedback

Agile

Initial
Vision
Waterfall
Real-Time Scenario: Agile Limitations and the Need for DevOps

Scenario: A software company uses Agile to develop a new app. Teams work in sprints, adapt to changes, and prioritize
customer feedback.
Typical Software Release Process

Initial Launch

Improvements
Version 1 (1.0.0):
Replaced Framework: Initial major release.

Version 2 (1.1.0):
New Feature: Minor update adding functionality.

Version 3 (1.1.1):
Bugfix: Patch update fixing issues.

Version 4 (1.1.2):
Additional Bugfix: Further improvements and fixes.

Versions evolve constantly with ongoing development and

maintenance

As versions are updated, we encounter limitations in the

Agile model.
Agile: Why Do Limitations Occur in Agile? And How does DevOps overcome it.

Focus: Iterative development and quick,

incremental changes with flexibility and
collaboration.

Limitations:

 While Agile includes Continuous Integration

(CI) for improving code quality and feedback
speed, it doesn't inherently cover the later
stages of deployment.

 Uses Continuous Integration (CI) for regular

code integration and fast feedback among Quickly delivering High Quality code
Developers but less collaboration between
Dev and Ops team.

DevOps:

Focus: Extends Agile by adding Continuous Delivery (CD) and Deployment, emphasizing automation and collaboration between
development and operations.

CI/CD Role: Includes both CI and CD to automate testing, building, and deployment for reliable production releases.
Introduction to DevOps

A philosophy, aims at building up a Teams involved:

culture of collaboration between • Software Development
originally isolated teams. • Deployment Operations

Development

Improving the efficiency by eliminating the boundaries between

these two phases of development.

IT
Operations
Continuous integration, where the coding, building, integration, and
testing processes are carried out.
Includes Continuous delivery, which includes continuous integration but mainly
focuses on product delivery.
Continuous deployment, which aims at automating project
deliveries.

The core idea behind DevOps is to create a culture of shared responsibility, where both developers and operations staff
work together throughout the entire lifecycle of a project, from design and development to production support.
Limitations that DevOps going to solve

Miscommunication and lack of collaboration

Result:
Stretching the release period for days,
weeks or even months
Conflict of interest
 Resist the speed of release
 Check its 100% safe

Result:
Slow down of release process
Choosing DevOps:

Increased Deployment Frequency: DevOps enables organizations to deploy software more frequently,
facilitating faster response to market changes and improving time-to-market for new features.

Reduced Deployment Failures and Rollbacks: By incorporating continuous testing and integration,
DevOps helps to reduce the number of deployment failures by identifying issues early in the development
process.

Faster Recovery Time: In case of a failure, the principles of DevOps (smaller, more frequent updates)
allow for quicker recovery times since it's generally easier to identify and fix problems in smaller change
sets.

Enhanced Collaboration and Communication: DevOps fosters a culture of collaboration between

development and operations teams, breaking down silos and improving efficiency and innovation.

Automation of Manual Processes: By automating repetitive tasks like testing, integration, and
deployment, teams can focus on more value-adding activities.
 Core Components of DevOps
Automation:
Continuous Integration/Continuous Deployment (CI/CD) Pipeline
Continuous Integration
Continuous Delivery/Deployment (CD)
Continuous Integration/Continuous Deployment (CI/CD) Tools:
Automates the build, test, and deployment processes for faster releases.

Jenkins: Automation server for building, testing, and deploying.

GitLab CI/CD: Integrated CI/CD for version control and automation.
CircleCI: Supports fast, scalable CI/CD processes.
Infrastructure as Code (IaC): Manages infrastructure through code, enabling repeatable and consistent
environments.

Terraform: Automates infrastructure provisioning.

Ansible: Manages configuration and application deployment.
Puppet: Provides system automation and management.

Containerization and Orchestration:

Docker: Container platform for application packaging and

deployment.
Kubernetes: Orchestrates containerized applications at scale.
Continuous Feedback:

Monitoring and Logging: Provides real-time insights into application performance and user behavior.
Monitoring and Logging:

Prometheus: Monitoring system and alerting toolkit.

ELK Stack (Elasticsearch, Logstash, Kibana): Centralizes and visualizes logs.
Grafana: Visualizes metrics and logs from multiple sources.
IaaS (Infrastructure as a Service):
Refers to the infrastructure where logs are generated. These could be servers, virtual machines, or other cloud resources.

Log Aggregation:
Collects logs from various sources in the IaaS environment. It's crucial for centralizing data to monitor, analyze, and secure
systems effectively.

Storage Systems:
Short Term Storage: Holds recent logs for quick access and analysis.
Long Term Storage: Archives older logs for compliance and historical analysis.

Query Interface:
A tool that allows users to query the log data stored in short-term storage to gather insights or troubleshoot issues.
Anomaly Detection:
Identifies unusual patterns or activities in log data that could
indicate security threats or operational issues. These anomalies
trigger alerts.

Alerting System:
Sends notifications or alerts when anomalies are detected. This
enables rapid response to potential issues.
Leveraging tools like Splunk for log aggregation and query
interfaces, DevSecOps can analyze data to improve security
measures continuously.
 Core Components of DevOps

Continuous Testing:

Automated Testing: Ensures code quality and functionality with every change.
 Evolution to DevSecOps
Scenario:

Background: A company using DevOps practices experiences frequent software releases with high efficiency.
Security is handled in a separate phase, often just before deployment.

Challenge: During a critical deployment, a security vulnerability is discovered late, requiring urgent patching.
This causes delays, impacts delivery schedules, and affects customer trust.

Issues Identified:
Security as a bolt-on: Addressed too late in the development cycle.
Lack of integration: Security teams work separately from Dev and Ops.
Increased risk exposure: Fast-paced releases overlook important security checks.

DevSecOps: Making It Happen

After understanding the value of a DevOps mindset, making the cultural shift and reaping the benefits, many
companies are aiming for the next big step: integrating development, operations, and security into one
organization.
 Deep dive into DevSecOps

What is DevSecOps?
DevSecOps is the practice of integrating security testing at every stage of the software development process. It includes tools
and processes that encourage collaboration between developers, security specialists, and operation teams to build software that is
both efficient and secure.
What does DevSecOps stand for?
DevSecOps is an extension of the DevOps practice. Each term defines different roles and responsibilities of software teams when
they are building software applications.

 Development is the process of planning, coding, building, and testing

the application.
 Security means introducing security earlier in the software
development cycle. For example, programmers ensure that the code is
free of security vulnerabilities, and security practitioners test the
software further before the company releases it.
 The operations team releases, monitors, and fixes any issues that arise
from the software.
Challenges:

Cultural Change: Teams must shift their mindset to prioritize security alongside
development and operations. This requires collaboration and new ways of working
together.

Integration Complexity: Incorporating security into existing DevOps pipelines can be

complex.

Benefits:

Enhanced Security: Proactive security measures reduce vulnerabilities.

Faster Releases: Security integrated early allows for smooth and rapid deployments.

Improved Compliance: Continuous adherence to security standards and regulations.

Collaboration: Fosters a culture of shared responsibility and teamwork.