However, it’s imperative that when taking steps to move towards a DevOps culture, organizations don’t lose sight of the importance of software security. Unfortunately, losing sight of security is precisely what seems to be happening. Worrying DevOps security research from 2018 found that in 60 percent of organizations, security is not being integrated into DevOps processes.
There is little use in releasing software faster and more regularly if the underlying code contains vulnerabilities that cybercriminals can exploit. This article provides five best practices for integrating security into DevOps so that the two can work in harmony, leading to not only faster, more frequent software releases but also more secure code.
It’s often said that security needs to shift left if it is to be integrated properly in a DevOps culture and overcome the main DevOps security challenges. This shift left mindset encourages a change in approach from security being viewed as something that is only considered at the end of development to earlier in the development pipeline when defects are cheaper to fix. This article provides more info on DevOps security challenges.
An arguably even better approach is to redefine security as something that is implemented continuously and prioritized throughout the development cycle. The shift left idea makes sense but it is not enough because it still drives home the idea of security being a once-off discrete process that you can forget about once a certain set of tests are passed.
Increased automation is one of the distinguishing characteristics of any DevOps effort. If security is to keep pace with the speed and frequency of DevOps development cycles, it’s crucial that security tests become repeatable processes that can execute with a minimal amount of human involvement.
Adopting a security-first mindset means making security a continuous process rather than discrete, and automation helps achieve this. However, if automation is not implemented with appropriate consideration for core DevOps values such as faster software delivery, you can end up in a situation where security testing becomes a bottleneck.
For example, static testing, which aims to find errors in the early stages of the development cycle, should only be carried out against the latest additions to a codebase.
InfoSec decision-makers need to consider using tools and checks that integrate security directly with DevOps. Such tools help to weave testing into all phases of software development while encouraging developers to learn about security “on the job”. Furthermore, having vulnerable code highlighted by tests and checks during development reinforces the security-first mindset you want to instill in your organization.
Implementing a security-first approach and integrating security tools in CI/CD pipelines are helpful ways to ensure developers start to think more about the security of the code that they write.
It’s also worth bearing in mind, though, that most modern applications are composed of a substantial amount of third-party, open source code. In fact, a 2018 study found that in a sample of 1,100 scanned commercial applications, an average of 57 percent of the codebase per application was open source.
Open source libraries and frameworks provide building blocks of reusable code that save DevOps teams enormous amounts of time, facilitating the quicker software releases they strive for. The prudent integration of security into DevOps requires a focus across the entire software supply chain—not merely the code that developers write themselves.
Encourage developers to think about the source of their third-party code, whether it’s up to date, and how well it meets the security requirements for their own code.
Whatever dashboard you use, there are dozens of tools out there that help DevOps teams track their daily to-do lists and development cycles. It’s a good idea to also track security features and incidents alongside this information so that security doesn’t become an afterthought during development. Integrate your organization’s security objectives into the project goals used by DevOps teams.
The combination of DevOps and security is a powerful one that leads to the best outcome for software development companies that take steps to integrate the two. So-called DevSecOps reframes security checks, practices, and tests as happening continuously throughout CI/CD pipelines, ensuring collaboration between DevOps and InfoSec. The end result is the development of more secure, stable code without negating any of the original DevOps aims.
Author: By Gilad Maayan of Agile SEO