The importance of application security has increased dramatically over the past couple of years in response to rising threats. Meanwhile, software development is changing fast, with continuous delivery and DevOps adoption continuing to grow. It seems inevitable that the we'll be talking more and more in the coming year about securing DevOps and DevSecOps.
As we enter 2018, it’s a good time to talk about what security professionals and developers need to do to prepare for the biggest and most disruptive changes you’ll be seeing next year and for years to come. Here are five ways you can get your developers and AppSec teams ready for DevSecOps.
1. Re-evaluate your policies
Now more than ever, it is important to re-evaluate and build new policies that work with, and not against, the developer goal of getting good code out quickly. As the definition of quality code becomes synonymous with secure code, consider ways to align your policies with the adoption of DevSecOps:
- Start with a simple policy: no high or very high severity flaws. Then get more stringent over time as developers adopt security into their daily routine.
- Include more than just what flaws are disallowed. Make sure you also have policies around how long developers have to fix certain flaws, how often developers need to scan, the type of testing, and at what stage of development.
2. Assess your tooling and technologies
The ability to automate security testing requires integration of testing within development tools and processes. Finding code vulnerabilities early requires IDE plugins that deliver instant insights and remediation guidance as problems are introduced. Don't rely on a single soultion, but consider a combination of testing technologies, including static, dynamic, and software composition analysis. You also need to ensure your policies align to the security tools/solutions your developers are using to embed security in their development cycle. For instance, do not require a pen test for each release or towards the end of a release cycle.
3. Get processes in place for DevSecOps
A DevSecOps framework requires robust processes tied to metrics and key performance indicators. Measuring security along with traditional metrics like performance helps developers continuously improve secure coding skills. Also consider putting processes in place for how and when developers should escalate issues to the security team.
4. Continue to train up developers
The lack of highly qualified security professionals means developers have to assume more responsibility for security. Yet most developers aren’t trained in security in college, so on-the-job training is essential. Veracode research shows that developers make big improvements in security when they’re given resources like on-demand eLearning, remediation coaching, and scanning tools that allow them to check their code against policy in a private sandbox. You should also look for developers who show an aptitude or interest in security and turn them into security champions, who can help peers improve their secure coding skills and cybersecurity knowledge.
5. Double down on teamwork and community
Bringing together security professionals with developers to meet security goals requires lots of open communication, and avenues to offer feedback and get help. Collaboration tools like HipChat or Slack can help break down communication barriers, and nothing builds trust like a shared pizza or fizzy beverage. Overall, DevSecOps requires a culture that promotes a shared sense of responsibility. To reach DevSecvOps, everyone needs to join forces to make security job one.