DevSecOps — a new paper by Microsoft and Sogeti

Cracking the code in DevSecOps

DevOps practices continue to evolve and, in the new iteration that is DevSecOps, security must complement existing business, processes, culture and people. A new white paper from Sogeti and Microsoft cites this as the most challenging part of DevSecOps adoption.

The paper ‘6 tips to integrate security into your DevOps practices’ asserts that adopting an everything-as-code approach supports deployment reliability, version control, and testing effectiveness. In a series of blog posts, we’re giving you a flavor of all 6 tips, including: Tip 4: Embrace everything as code.

Reducing manual errors

Similar as in DevOps, an everything-as-code approach within DevSecOps enables more efficient and reliable operations by adopting the same mechanisms as with code development. By why is it needed? When your teams manually perform tedious tasks like provisioning infrastructure or managing application deployments, it prevents them from developing new, innovative code and executing manual actions are much more error-prone. An everything-as-code approach streamlines software development, delivery, and management, freeing up your developer teams to focus on development and increase reliability.

Think of it as the ideological application of applying an application development approach to other components of IT (including DevOps) to ensure that best practices get defined and followed with minimum effort. One of the biggest benefits of an everything-as-code approach is the decreased risk of human error. With workflows defined as code, there is less chance for an engineer following a manual checklist to forget a step or click a wrong button by mistake. It’s easier to pass audits with everything-as-code configurations automatically logging the system’s update history through Git changes.

Coding everything

An effective everything-as-code approach covers a variety of elements: infrastructure-as-code, immutable infrastructure, a secure version control system, configuration-as-code, pipeline-as-code, and policy-as-code. Each brings its own benefits that, when combined with all the others, create powerful security controls. For example, many enterprises start their transition to everything-as-code by adopting infrastructure-as-code (IaC), which enables them to manage their IT infrastructure in a reliable way.

With IaC, you enable scalable deployments and configurations across your development environment, your staging environment, and your production environment. You also minimize drift between environments. For instance, every environment is built with the same version of every component across IT systems: development, staging and production environments. What’s more, you can ensure that your middleware, OS, and your security patches are consistent throughout environments. It’s just one way to increase repeatability, improve versioning and reduce costs, but IaC alone has its limitations. Which is why an everything-as-code approach is so important.

Expanding your security reach

Even with IaC in place, long-running servers are at risk of configuration drift, with manually managed servers particularly prone to this—it’s not possible to manage a server’s configuration completely, meaning there are many opportunities for configuration drift or other unexpected server changes to occur. By adding Immutable Infrastructure, you increase security controls to your everything-as-code approach. It’s a new approach to updating infrastructure in that, instead of updating existing VMs, you create an entirely new VM that is an updated copy of the older server. This enables you to automatically install and scan images before deploying them to the cloud. Immutable Infrastructure is extremely useful for passing security audits as your teams can track vulnerability creation and fixes in real time.

Advice and best practice

From storing code in a secure version control system to allowing server configurations to be replicated across environments with configuration-as-code, and how to set up pipeline-as-code, Tip 4 offers both advice and best practices for embracing everything-as-code.


Download the white paper 6 tips to integrate security into your DevOps practices.


Clemens Reijnen
Clemens Reijnen
Global CTO of Cloud Services


Read all our DevSecOps blogs