How to put the Sec in your DevSecOps

How to put the Sec in your DevSecOps – keeping security top of mind every step of the way

DevOps is no longer the abstract term it once was, where businesses struggled to understand how development and operations could be combined to produce a single effective strategy.

Many development teams are at some stage of adopting this methodology, but it is bringing up the question of where security fits into the process.

There is an increased desire to integrate security earlier to increase the quality and efficiency of the applications. Currently, security can be left until the last moment which, with today’s threat landscape, is becoming increasingly risky.

By working with a DevSecOps approach, businesses can benefit from more effective and trustworthy security that is prioritised throughout the pipeline.

What is DevSecOps?

DevSecOps is the process of incorporating security into the development process, where you have the most ability to pivot away from problems.

It includes the process of assessing and addressing potential threats and hardening attack surfaces, and commonly includes: penetration testing, code scanning and analysis, threat modelling and vulnerability assessments, compliance auditing, and all of the associated training that these require.

Put simply, DevSecOps involves adding security to the existing DevOps process, whereby automated tests, non-functional requirements and compliance gating are all added into the standard DevOps cycle.

The end result is that the full cycle includes automated and manual activities that are intended to verify whether or not the code can be considered trustworthy.

The combination of decomposing delivery into phases with criteria gates and the non-functional requirements (such as documentation, threat modelling, pen-testing, etc.) ensure a much higher level of quality than attempting to resolve any security issues that arise at the end of the process.

Automating security makes for higher quality code

When DevSecOps is built on CI/CD pipelines, it introduces the ability to run multiple automated security tests, which can include static code analysis, vulnerability scanners, malware scanners, and automated tests that focus on security.

DevSecOps essentially means automating these security checks, thereby making them faster, more thorough and overall more effective.

Adding automated security checks earlier in the process also enables developers to work on code that is current, rather than doing a final threat push on 3-sprints of code where the developers are looking back on code that was written more than six weeks ago, which can be a difficult switch of context.

By eliminating this challenge, both quality and hardening are built into the code far more effectively than trying to add these in at the end of the process.

As the developers incorporate these new activities into their regular routine, everyone becomes more security-minded and more likely to flag anything that they perceive to be a security risk that might not have been caught until the full security review later in the process.

The bonus of taking this approach is that through the security improving, the overall quality of the code improves as well, and therefore makes it more trustworthy for businesses.

Practice makes perfect, so don’t sideline your security

A baseline threat modelling session will help teams get a solid understanding of their current threat surfaces. This creates a foundation for every change to existing processes that will likely happen in the future, and makes the transition to DevSecOps – and keeping security front of mind – easier in the long term.

One method of doing this could be through external consultants, as they can be hugely beneficial in helping businesses get to grips with this approach.

Once a threat modelling session has been conducted, implementing automated code scanners can reduce time spent manually ensuring that developers react to the discoveries they make. And, most importantly, ensure that you don’t repeat the same mistakes over and over.

This approach will only increase efficiency if lessons are learned and new methods are integrated quickly. Implementing security training for development teams will reinforce this importance and ensure that employees are up to speed on the latest security requirements and solutions.

Get on board one step at a time

Teams don’t need to incorporate DevSecOps in one single step; it can be a more gradual process implemented in stages, whereby teams do a little more with each iteration than before. Start by incorporating pen-testing, automated code scanning, vulnerability scanning, and malware checking into the development cycle and build from there.

Though this sounds time-consuming, in reality it shouldn’t take long once the ball is rolling, and organisations can gradually integrate more security layers into the existing process, as opposed to entirely changing the system that developers know and trust.

Successful application delivery is the end goal for those working on the CI/CD pipeline, and this boils down to the quality of the final application that is produced. Businesses shouldn’t let security hold them back – it should be one of the main priorities throughout the process, and by automating many of the security checks, teams can be confident that any challenges will be resolved along the way.

DevOps teams need to stop closing their eyes to their security problems, and take action now to integrate more effective and reliable security measures into all applications for the future.

Jeff Keyes, Plutora