DevOps is not new and carries a different meaning than almost any business. Almost the only downside to Undisputed DevOps is that it aims to bring development and operations teams closer together to ship more reliable software faster.
But importantly, DevOps does not specify how and when to integrate cyber security into the development process.
About the Author
Nigel Abbott is the regional director of North EMEA on GitHub.
Even in DevOps, security usually occurs at the end of software development and is the last box to be checked before going into production. Developers typically focus on the engineering side of development, leaving security responsibilities to a team of experts. Working with these silos slows down development. In order for application security to keep up with the pace of business innovation, we need to fundamentally change the way we look at the role of security within the development cycle.
Enter devsecOps. Incorporating security into every process is a sure way to integrate security into your development. This may not sound like a radical change, but it requires a fundamental cultural change that breaks the status quo of the current process. And the benefits are immeasurable.
By making security a community responsibility, you can incorporate security into your development process. More reliable software ships faster. And the effect of knock-ons is a dramatic increase in an organization’s ability to innovate quickly.
But let’s take a step back. How do you create an environment for DevSecOps to flourish?
DevSecOps is changing the way DevOps teams look at and adopt security as part of their software development lifecycle. DevSecOps aims to hold all parties involved in the application life cycle accountable. In practice, this means shifting security testing and reviews to the left and effectively incorporating them into each phase of software development.
Yes, DevSecOps was introduced with the goal of mitigating vulnerabilities, but primarily to reduce the often overloaded and overstretched security teams. It is unclear why teams with expertise in security are lacking and have limited ability to tackle all issues on their own. In fact, security researchers estimate that their average is above 500:1 compared to developers. By disseminating knowledge and tools, developers can help solve common issues and allow security professionals to focus their time on what they need most.
When building an application, the development team has traditionally spent a lot of time verifying that the application is completely secure. The goal of DevSecOps is to provide a superior set of resources to meet security requirements that provide consistency, reproducibility and continuous feedback throughout the development process with the ability to respond quickly in the event of a problem. have to make.
Security controls and feedback need to be shifted to the left side of the development lifecycle to enable development teams to address security issues. By taking a developer-first approach, developers can identify and fix vulnerabilities when they are discovered, so they never enter the production cycle. There is no formal guidance on DevSecOps practices, but no recommendations on how to make effective changes to incorporate security practices as part of the software development lifecycle.
It’s a good idea to start by revising the assumptions of both the development and security teams from “us versus them” and facilitating the day-to-day collaboration between the two teams. It doesn’t have to feel or look like it was designed for much. This can work in larger ways by integrating mandatory security checks into code reviews, or by building integrated workflows for processes such as application security and CI/CD, which are typically silent. I can do this.
By making these small or major changes to improve collaboration, you will see the stronger trust between the two teams. This trust determines not only when and where to resolve vulnerabilities, but also what consequences to prioritize, who can address them effectively, and why it is important to address them first. . Is. All issues are important, but some are more important.
When Facebook added high-quality static analytics to developer workflows, the fix rate reached an unprecedented 70%. However, when the bug was presented to the developer outside of the workflow as a list of problems to fix, the fix rate was zero. This means prioritizing specific issues and reporting bugs that have had the most significant impact. This means that the number of problems to be fixed will increase over time. Furthermore, raising the issue early allows the developer to fix it as part of the build rather than seeing it as the last thing.
To effectively deploy DevSecOps, you need to quickly break the bad and common habits of your current software process. Teams also need to find new ways to work and collaborate. The easiest step is to use and verify the tools available for development, and have the security team review them with tools they can really trust. As part of the review process, find out where tool integration makes the most sense. Combining multiple tools for both teams provides a better opportunity to understand where teams need to take action and the best way to deal with them. Having a common pipeline for your team makes it easier to find and resolve problems faster.
DevSecOps provides all the DevOps best practices you need to keep up with the security organizations you need, as well as high-performance teams. And implementing it well is not checking the box by buying a new device that offers increased efficiency. DevSecOps is the primary route to rapidly accelerating the pace of innovation in an organization.