The importance of application security has increased dramatically over the past couple of years in response to rising threats. Meanwhile, software development is changing fast, with continuous delivery and DevOps adoption continuing to grow. It seems inevitable that the we'll be talking more and more in the coming year about securing DevOps and DevSecOps.
As we enter 2018, it’s a good time to talk about what security professionals and developers need to do to prepare for the biggest and most disruptive changes you’ll be seeing next year and for years to come. Here are five ways you can get your developers and AppSec teams ready for DevSecOps.
Now more than ever, it is important to re-evaluate and build new policies that work with, and not against, the developer goal of getting good code out quickly. As the definition of quality code becomes synonymous with secure code, consider ways to align your policies with the adoption of DevSecOps:
The ability to automate security testing requires integration of testing within development tools and processes. Finding code vulnerabilities early requires IDE plugins that deliver instant insights and remediation guidance as problems are introduced. Don't rely on a single soultion, but consider a combination of testing technologies, including static, dynamic, and software composition analysis. You also need to ensure your policies align to the security tools/solutions your developers are using to embed security in their development cycle. For instance, do not require a pen test for each release or towards the end of a release cycle.
A DevSecOps framework requires robust processes tied to metrics and key performance indicators. Measuring security along with traditional metrics like performance helps developers continuously improve secure coding skills. Also consider putting processes in place for how and when developers should escalate issues to the security team.
The lack of highly qualified security professionals means developers have to assume more responsibility for security. Yet most developers aren’t trained in security in college, so on-the-job training is essential. CA Veracode research shows that developers make big improvements in security when they’re given resources like on-demand eLearning, remediation coaching, and scanning tools that allow them to check their code against policy in a private sandbox. You should also look for developers who show an aptitude or interest in security and turn them into security champions, who can help peers improve their secure coding skills and cybersecurity knowledge.
Bringing together security professionals with developers to meet security goals requires lots of open communication, and avenues to offer feedback and get help. Collaboration tools like HipChat or Slack can help break down communication barriers, and nothing builds trust like a shared pizza or fizzy beverage. Overall, DevSecOps requires a culture that promotes a shared sense of responsibility. To reach DevSecvOps, everyone needs to join forces to make security job one.