Security Hub

An Introduction to Decentralized DevSecOps - OpenZeppelin blog

Written by Jonathan Alexander | Feb 17, 2021 5:00:00 AM

An Introduction to Decentralized DevSecOps

In traditional IT and web2 many organizations have separate teams for development, security, and operations. Separate teams means communication and process complexity, so throughput is reduced and frustration goes up. For a short time, I worked in a large telco and saw this firsthand; I witnessed how these complexities led to significant bottlenecks and delays.

As we build a community of decentralized services for the open economy, we could easily repeat errors of the past. But let’s not. Instead, we can build better tools and infrastructure that will automate our processes and we can incentivize and reward decentralized service providers.

What is DevSec?

DevSec is about helping us build faster with security. For example, with OpenZeppelin Contracts we provide developer libraries that bake in security and that make operations easier. This includes DevSec coverage for:

  • Implementing token standards safely and correctly
  • Adding more run-time protections like reentrancy guards, pausability, timelocks
  • Better maintainability through access control mechanisms and safe upgrades

What is SecOps?

SecOps is about running decentralized services faster with security. For example, with OpenZeppelin Defender we provide operations automation and infra services that are required for secure dapps. This supports SecOps with:

  • Simplified administration and faster emergency response
  • Automation of administrative and operations tasks
  • Infra services designed to help ensure reliability and performance
  • Better detection of issues and potential exploits

What is DevSecOps?

DevSecOps means streamlined processes, more automation, and ultimately less people time. Time is always our most precious resource, and this is triply true for start-ups. Hiring is hard and expensive, and we all have big backlogs already (what I like to call “work opportunity”!) so it’s easy to defer extra work on security and ops.

Another area of innovation is in how to involve external workers to help in ops in a decentralized on-demand way. This is done through incentives and rewards. Think of Uber for ops. Andre Cronje’s keep3r.network is a great example of an early experiment along these lines, and we are glad to support it with Defender. This is a big and important topic; can decentralized workers help support decentralized services, and can that actually lead to better security and reliability? More to say about this soon.