1. The definition provided by NIST states that DevSecOps helps to ensure that security is considered as part of all DevOps practices by integrating security practices and automatically generating security and compliance artefacts across processes and environments.
2. A much more detailed definition is provided by the US Department of Defence (DoD): DevSecOps is a conglomerate of software engineering techniques, procedures and tools that integrate software development (Dev), security (Sec) and operations (Ops).

At the heart of the DevSecOps paradigm is security by design – the claim that security should not be added on, but built into every phase of the development process.

What DevSecOps means:

• Shift-left security: Security testing during the development phase.
• CI/CD: Inclusion of automated security checks in CI/CD pipelines.
• Continuous compliance: Code-based regulatory requirements.
• Shared responsibility: Every team member is responsible for maintaining security.
• Zero trust architecture: Zero trust must be the target security model for cybersecurity in DevSecOps software factories and platforms.

The big challenge: The software supply chain

The success of DevSecOps requires an understanding of the software supply chain. All hardware, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), tools and processes that are combined to deliver specific software capabilities are part of the software supply chain, which represents a logistical route.

The particular challenge in the financial sector: innovation and compliance

DevSecOps is more of a necessity than a luxury, especially in Switzerland with its robust financial sector and strict data protection regulations. The problem: how can a balance be found between the need for innovation and regulatory requirements?

According to the study cited, platform engineering teams are now present in 54% of Swiss companies. These groups are essential for developing secure platforms that enable agility and compliance.

AI as a revolution in DevSecOps

The integration of artificial intelligence is fundamentally changing the rules of the game. AI is most commonly used by DevOps teams to automate repetitive tasks (22 per cent), prevent incidents and improve code quality (around 19 per cent each).

AI opens up completely new possibilities for DevSecOps:

1. Meaningful identification of vulnerabilities
2. AI systems are not only able to identify security gaps, but also to assess their severity and offer possible solutions . Real-time code reviews have replaced the hours-long process that was previously necessary.
3. Detecting anomalies in production environments
4. Machine learning algorithms record the ‘normal’ behaviour of an application and immediately raise the alarm in the event of suspicious activity, often before a human operator even notices that something is wrong.
5. Automated remediation of security vulnerabilities
6. AI is used by 28% of teams for code review and analysis. AI that not only detects problems but also automatically remediates them is the next stage of development.

CI/CD pipeline security: The heart of DevSecOps

Malicious cyber actors (MCAs) view software supply chains and CI/CD environments as attractive targets, as outlined in NSA and CISA guidelines. The dangers are numerous and complex:

Three typical risks to CI/CD security are:

1. Insecure code: Integrating third-party code and failing to scan source code components can introduce vulnerabilities into a CI/CD pipeline.
2. Poisoned pipeline execution: MCAs use this technique to contaminate the CI pipeline. Using this method, MCAs can manipulate the build process by misusing permissions in source code management repositories.
3. Disclosure of secrets: Cloud-native CI/CD tools use a set of secrets to gain access to a variety of sensitive resources, including databases and codebases.

Three important security measures for CI/CD pipelines:

1. Zero Trust in CI/CD: This technique helps identify and prevent successful compromises of the environment by ensuring that no user, endpoint, or process is completely trusted.
2. Integrate a static code analysis tool into the build process to check the code for common security vulnerabilities and compliance issues.
3. Implementation of SBOM: By helping to track all open-source and third-party components within the codebase, SBOM and SCA can be beneficial for both DevSecOps and the software development lifecycle (SDLC).

Platform engineering as a catalyst for security

A collection of resources and capabilities that serve as the foundation for developing and operating additional features or services within the same technical framework is referred to as a DevSecOps platform.

Platform engineering enables development teams to work independently in standardised, secure environments. This includes:

• Security measures: Automatically enforced, predefined security policies
• Compliance as code: The platform integrates regulatory requirements
• Self-service security: Developers can use security tools independently.

The state known as Continuous Authorisation or cATO is achieved when the company that creates, protects and operates a system is demonstrably mature enough to maintain a robust cybersecurity posture.

The Graf method: putting FHNW theory into practice

According to Prof. Dr Sebastian Graf from the University of Applied Sciences and Arts Northwestern Switzerland (FHNW), ‘DevOps does not think in terms of projects, but in terms of products’. The key to the success of DevSecOps lies precisely in this product orientation – and in a methodical approach that consistently combines technology, processes and mindset.

A key element of Zero Trust is DevSecOps: development and engineering teams work closely together, driven by a clear vision and a structured strategy.

According to the US Department of Defence’s principles, for DevSecOps to be fully implemented, security and functional capabilities must be developed, tested and tracked at every stage of the lifecycle – long before problems can even reach production.

Platforms, NIST, open standards: key building blocks of modern software security

Use integrated platforms:

• Code management, pipelines, planning and security analyses are included in platforms such as GitLab, usually in higher/premium subscriptions.
• Cross-team collaboration is facilitated by an integrated process.
• Use consolidated solutions to prevent the proliferation of tools.
• Use thorough security scanners.

According to NIST SP 800-204D, the following are relevant:

• Code analysis with SAST (Static Application Security Testing). Use DAST (Dynamic Application Security Testing) for runtime testing.
• Software Composition Analysis (SCA) for dependency checking.
• Image security through container scanning.
• ‘Secret Scanning’ to protect confidential login data.

Use open standards:

• Software Bill of Materials (SBOM) for CycloneDX: Transparency.
• SPDX: Component tracking and licence compliance. Supply Chain Security Framework (SLSA). Every company should be familiar with these standards recommended by the OpenSSF (Open Source Security Foundation).

Cloud security in transition: The 6 biggest threats to DevSecOps

According to recent studies by the Cloud Security Alliance, DevSecOps must address the following critical threats.

• Insecure software development: Due to the complexity of cloud computing, developers may inadvertently create insecure software with exploitable vulnerabilities.
• Inadequate change control and misconfigurations.
• Weaknesses in identity and access management.
• Insecure APIs and interfaces.
• Limited observability/visibility of the cloud.
• APTs (Advanced Persistent Threats).

DevSecOps maturity: What companies need for a secure future

For DevSecOps, this means that although the tools and technologies are available, careful implementation is key to success. The introduction of DevOps is going particularly well in small and medium-sized enterprises. Larger companies, on the other hand, are struggling to grow.

‘The secret to long-term security is complete independence from vendors.’

Reducing vendor dependency and ensuring the freedom of system components are also important aspects when it comes to a secure software supply chain.

Why is DevSecOps open source?

Due to the easier interchangeability of providers and components, open source solutions offer greater flexibility. Despite obstacles such as licence changes or financing problems for certain projects, the open source landscape is developing positively.

Suggestions for Swiss companies:

• Consider alternatives to established market leaders.
• Consider open infrastructure options.
• To utilise security services, take out corporate subscriptions.
• Maintain the open source ecosystem in a sustainable manner.

This approach improves transparency and control over your own security infrastructure while reducing vendor lock-in.

The 4-phase implementation: The business case for DevSecOps

According to a study by NIST, DevSecOps is crucial for minimising vulnerabilities, malicious code and other security issues in software without delaying code development and releases. Building on this insight, a step-by-step development towards true DevSecOps maturity begins.

The path to DevSecOps maturity involves four crucial phases:

1. Initial use

• Start with pilot projects.
• Focus on short-term gains.
• Create a network and appoint security officers.

2. Integration and scaling

• Increase the number of teams.
• Integrate security tools into every pipeline.
• Define KPIs and security metrics.

3. Innovation and optimisation

• Use ML and AI to improve security.
• Put predictive security analytics into practice.
• Achieve continuous authorisation (cATO).

4. Change strategy

• Security becomes a business enabler.
• Full alignment with business objectives.
• Leading position in the secure development industry.

DevSecOps as a competitive advantage: Why secure development makes you faster

DevSecOps turns security from a hindrance into a booster. In times of increasing cyber attacks and stricter regulations, companies cannot afford to treat security as a secondary process.

The good news is that the tech community is on the right track. With the increasing use of AI, the introduction of DevOps practices and the creation of platform engineering teams, the foundations have been laid.

The current challenge is to view security as an essential part of product development rather than an add-on. Companies are creating a secure and sustainable development environment by using integrated platforms, adopting open standards such as CycloneDX and SLSA, and carefully avoiding vendor lock-ins.

To reduce risks at every stage, DevSecOps leverages the combined experience and knowledge of the entire software supply chain, as emphasised by the US Department of Defence.

After all, those who develop securely usually also develop faster in the digital economy. And the fastest developers win, especially when it comes to open standards and vendor independence.

Protect your DevOps journey with InfoGuard as your partner

The first step is to understand DevSecOps; the real difficulty lies in successful implementation. We can support you if you are ready to change the security of your software development process but need professional advice.

The key benefits of your DevOps security assessment:

• Strengthen technical security: Thorough analysis of your platform, identification of critical vulnerabilities and clear recommendations for hardening according to industry standards.
• Increase process maturity: Assessment of your DevSecOps procedures, identification of gaps compared to best practices and a roadmap for optimisation and scaling.
• Embed secure development: Review of your software development, integration of security measures throughout the entire SDLC and concrete shift-left recommendations.
• Reliably meet standards: Assessment based on CIS, CISA and NIST frameworks for a traceable, audit-proof and standards-compliant security architecture.