The goal of DevSecOps is to build a bridge between fast and secure software development. Some in the DevOps and AppSec universe maintain that the primary foundations of a DevOps or DevSecOps initiative are the right mindset about quality, and processes that support continuous improvement and learning at velocity.
Yet you cannot achieve DevSecOps without the right technologies for integrating security throughout the software lifecycle. The Developer's Guide to the DevSecOps Galaxy explores several strategies for transforming your culture, processes, and technology to build security into DevOps. Let's look at six tips for transforming technology.
1. Automate security
The ability to automate security testing through scripting, static and dynamic analysis, composition analysis, and integration of testing within existing tools and processes goes a long way toward identifying flaws early in the lifecycle and speeding up the delivery of secure code.
2. Detect security flaws early
DevSecOps assumes that it’s wise to fail at the developer’s desktop rather than on the customer’s laptop or smartphone. Finding code vulnerabilities early requires IDE plugins that deliver instant insights and remediation guidance as problems are introduced.
3. Break the build
Introducing a security gate in a DevOps build process means that tools can block a release. As a result, they must be configured properly. You also must define and document the exception process because there are essentially two options: Go back and fix the problem — potentially delaying the release — or accept the risk and push out the release. Don’t wait to document the exception process until the first time you need it.
4. Don’t accept high false-positive rates
Achieving an effective “break the build” approach requires technology that can deliver valid findings via reports and dashboards, creating operational visibility. Keeping false positives low allows development teams to trust that security tools won’t create additional work for them — otherwise, they’ll start distrusting and working around them.
5. Use composition analysis
Composition analysis tools can scan entire applications and open source components to ensure development teams aren’t inadvertently including code with known vulnerabilities. In addition, composition analysis allows you to build an inventory of the components you’re using, so it’s easier to locate and update them when a vulnerability is disclosed. The March 2017 disclosure of a critical vulnerability in Apache Struts 2 left many organizations scrambling — if they even knew they had vulnerable versions of the component — as attackers began exploiting Struts 2 almost immediately.
6. Emphasize orchestration
Today, it’s possible to spin up computing power through the cloud, grab code from online libraries, and use automated tools to speed software development. As almost everything, including infrastructure, becomes code, finding and eliminating vulnerabilities is mission critical. Recognize that all systems are prone to bugs and errors. You need to "orchestrate" code and systems during rapid spin-ups and shut-downs.
Getting to DevSecOps
Along with the right technology, a DevSecOps framework requires robust processes tied to metrics and key performance indicators, and a culture of security. Learn more best practices for making the transition to DevOps and DevSecOps in our Developer's Guide to the DevSecOps Galaxy.