“Why do we need DevSecOps?”
When software is created and deployed in a non DevSecOps environment, there’s often little consideration for how releases or updates affect security. Manual security reviews can become an afterthought and a box ticking exercise – “the auditor is in tomorrow, quick do some security!”. This haphazard approach leads to delivery delays. When security is left to the last minute, it’s almost inevitable that substantial mitigations will be needed.
Since manual security reviews are extremely laborious, teams often take risky shortcuts to keep up with the pace of deployments and environment changes.
All this puts significant pressure on security teams. They must manage security findings, as well as securing infrastructures, developments and sensitive data – while keeping compliance and regulation in mind. This becomes increasingly unsustainable as releases become more frequent.
DevSecOps tools and tactics
Put simply, DevSecOps tools should be as easy as possible for developers to use, featuring a high level of automation. It’s also important to ensure that security is unified across cloud infrastructure, data protection, and application deliveries.
With that in mind, let’s examine some of the DevSecOps tools and tactics that all organisations should implement.
Developing a robust DevSecOps strategy should be your first priority. This must be defined jointly by security teams, wider business stakeholders and DevSecOps specialists. Your strategy should include:
- A defined security baseline
- A risk tolerance definition
- Tracking for common vulnerabilities and exposures (CVEs)
- Application security testing (SAST/DAST)
- A risk/benefit analysis for security deviation requests and issues
To make informed decisions, businesses should also consider how DevSecOps tools can be integrated with IT service management tools.
It goes without saying that any app will have dependencies that could compromise security – Java, Apache, or even something like Log4J. These CVEs are notoriously tricky to follow. After all, there may be hidden dependencies that are over a decade old.
When a new CVE is discovered, it’s possible that developers may not even notice. After all, there are simply too many dependencies and vendors to keep track of them all. The only way to check for CVEs effectively is by using an automated tool. Nesting CVE checkers into the pipeline is non-negotiable.
Application security testing
Both static (SAST) and dynamic (DAST) application security testing are crucial parts of any DevSecOps toolkit.
SAST tools scan proprietary code while it isn’t running to find common vulnerabilities and suggest remediation tactics. It’s important to do this throughout the build phase, as it’s much easier to resolve issues when they’re detected early. By contrast, DAST tools are used to look for vulnerabilities in running applications. As such, these are often used later in the development cycle.
Training and communication
One of the biggest challenges to implementing DevSecOps is cultural change. Strained developers often feel like security is slowing them down. Meanwhile, security teams can be laser focused on securing apps, code, infrastructure and data – without considering time-to-market.
Unifying these diverse priorities is crucial. Security training for developers – including best practices from industry standards (OWASP, CIS etc.) and a straightforward security baseline – is a good place to start.
It’s also important for security teams to share information with developers on an ongoing basis. Keeping them informed about security findings like vulnerabilities, configuration errors and incidents helps them to see the value of security. On the other hand, by working collaboratively with developers, security teams will be better equipped to implement much-needed guardrails, reducing the friction between teams.
Overall, DevSecOps should be viewed as an integral part of the app lifecycle. It’s a no-brainer for businesses, as quickly identifying and remediating security issues saves costs and developer time in the long-term. The key to success is harnessing the power of automation and ensuring that everyone in the delivery pipeline shares accountability for security.