In February, we hosted a virtual summit titled “Assembling the Pieces of the DevSecOps Puzzle.” The goal of the summit was to provide organizations with tools and information to implement a DevSecOps strategy and move it from theory into practice.
During one of the summit’s webinars, Pejman Pourmousa, VP of Program Management at CA Veracode, explained the importance of rethinking AppSec policies in a DevOps organization. With quicker release cycles and developers who want to write good code quickly, old policies won’t work and will most likely hinder development. You need new policies that are integrated throughout the SDLC, up to speed with DevOps, and right-sized to your security requirements.
An AppSec policy should be put in place to “really help get that DevSecOps operational” says Pourmousa. You want to think about what developers are focused on and what tools and automation they need to meet their goals.
App Remediation Strategies
Once you have established your policy guidelines, you want to consider Pourmousa’s policy best practices – the first being: implement achievable compliance. You want to set the bar low at first in order to promote adoption and then slowly introduce greater stringency once the team has adjusted. For example, to begin, you can institute weekly static scans with no high-severity flaws allowed. Later, when developers feel comfortable with the new procedure, testing frequency, disallowable flaw severity, and range of testing type can increase.
Additionally, it is important to have customized policies. All apps are not created equal, so different applications will need different policies and stringencies. Some may require testing more frequently, both static and dynamic testing, or stricter criteria for allowable flaws. Lastly, have a policy mandate. Although this process will be mostly governed by the security team, work with developers to set a clear compliance requirement before production or going live.
Now that you understand what AppSec policy is and what should be included, how do you actually implement it? First, establish your goals:
Second, hold a policy workshop to set guidelines surrounding:
Third, stay up to date:
Adjusting to the speed of DevOps and implementing clear, achievable security policies requires thought, teamwork, and monitoring, but successful AppSec policies reduce cost, increase speed to market, and allow organizations to produce more secure, quality code.
Watch the complete AppSec Policies in a DevOps World session.