DevSecOps, or development, security, and operations revolves around integrating security practices into the entirety of the software development lifecycle (SDLC). According to DevSecOps: a Multivocal Literature Review, “The need for security in DevOps is met by DevSecOps. This concept is an attempt at creating and including modern security practices that can be incorporated in the fast and agile world of DevOps. It promotes an extension to DevOps’ goal of promoting collaboration between developers and operators by involving security experts from the start as well.” The idea of DevSecOps builds upon traditional DevOps, which treats security as a separate phase occurring at the end of the development process, by ensuring security is prioritized throughout the creation of software.
The use cases of DevSecOps in healthcare
Automating compliance
DevSecOps automates compliance checks with the CI/CD (continuous development and delivery) pipeline. It involves implementing tools that continuously audit code changes against compliance standards and generating audit trails that document efforts to maintain compliance.
Medical device software security
For medical devices connected to networks, it conducts threat modeling to identify vulnerabilities specific to medical software. This assists in addressing security risks early on and allows organizations to mitigate cyberattacks on medical devices.
Telemedicine security
In developing telemedicine platforms, DevSecOps uses automated vulnerability testing integrated into the development process. It can identify security flaws before they take place. Continuous threat monitoring improves the security posture of telemedicine applications by allowing for the real-time detection of potential attacks.
The practical application of DevSecOps in healthcare
Healthcare organizations that do not develop software but wish to leverage the benefits of DevSecOps can adopt strategies for its simple application into operational practices.
These include:
- Partnering with software vendors like Science Soft that integrate the DevOps principles into each stage of SDLC.
- Investigating a vendor's security protocols, compliance certifications, and their approach to security integration before purchase.
- Establishing internal security policies that align with DevSecOps principles like focusing on data protection and risk management when handling protected health information (PHI).
- Ensure that all software used prioritizes security principles in a way that aligns with the principles of DevSecOps continuous security provisions to ensure the entirety of the organization's system remains secure.
FAQs
What is the CI/CD pipeline?
Continuous integration and continuous delivery/deployment pipeline is an automated framework used in software development that streamlines building, testing, and deploying applications.
What are the methods of vulnerability testing?
The methods of identifying security weaknesses in applications and systems include:
- Static application security testing
- Dynamic application security testing
- Interactive application security testing
- Penetration testing
- Vulnerability scanning
- Code review
How are cyberattacks leveraged against medical devices?
Methods of exploiting vulnerabilities in medical devices include:
- Network exploitation
- Malware infiltration
- Remote access attacks
- Supply chain vulnerabilities
Kirsten Peremore
