Securing any development framework – whether Waterfall, Agile or DevOps – requires changes of culture, process, and technology. But unlike the straightforward flow of Waterfall, where security comes at the end of the process, it's less clear where security fits in Agile and DevOps.
As Securosis analyst Adrian Lane points out, Agile development includes "whatever work gets done in a sprint and does not bend to security, so you need to bend security to fit Agile." Likewise, moving from DevOps to DevSecOps requires processes that incorporate security throughout the development lifecycle. In this blog post, we present some strategies for integrating security within your DevOps process, offered by CA Veracode expert Colin Domoney.
DevOps guru Gene Kim's "Three Ways" of DevOps encourage team autonomy, with high levels of communication, responsibility, accountability, and continuous learning. Processes must incorporate strong feedback loops between development and security teams.
Code reviews boost developer learning and accountability, promote transparency, and reduce the risk of deploying bad code to production. Security champions within your development teams can lead these efforts.
Security exercises like capture the flag and red team/blue team competitions are fun ways to expose vulnerabilities and build a culture of security awareness. Friendly competitions can be motivating and encourage knowledge-sharing within and between teams.
Shorter feedback loops don't happen on their own – you need telemetry and metrics. Measuring security along with traditional metrics like performance helps developers continuously improve secure coding skills.
For example, developers should know how to roll back to a previous version if a serious problem occurs. Canary releases for a limited set of customers can identify problems early. Also consider policies for developers to escalate issues to the security team.
A DevSecOps framework requires robust processes tied to metrics and key performance indicators, along with the right technologies for automating security, and a culture of security. Get more best practices for making the transition to DevOps and DevSecOps in our Developer's Guide to the DevSecOps Galaxy.