DevOps has redefined the way organisations handle software development and delivery. But it’s also challenging security professionals in their efforts to manage risks.
To practise DevOps securely, you must avoid treating security as a silo. Integrate security into your high-frequency development cycles. Collaborate closely with security experts to make your system's secure by default, instead of having threats and vulnerabilities discovered just before delivery.
Fortunately, there is a growing consensus that bolting on security to software and systems after they have been designed and deployed really doesn’t work. As a result, the cultural shift-left movement of DevSecOps, which emphasises ‘building security in,’ has gained traction.
Here are some expert recommendations on what to do and also what to avoid when implementing DevSecOps in your organisation:
1. Consider security a priority at the planning phase
Security must begin at the planning stage, before a single line of code has even been developed. Vulnerabilities discovered in the later stages of development are usually significantly more difficult and expensive to address than the ones found earlier. The key here is to consider security at the very start.
User stories need to go beyond basic feature-based descriptions to also include:
- Security and performance
- Acceptance test criteria
- UI/UX designs
- Threat-defense models
2. Automate security tests
Automation is an essential tenet of DevOps, and DevSecOps is no different. Automated security tests allow you to keep pace with high-speed development cycles, while ensuring that each change meets security standards, without giving rise to any new vulnerabilities or risks.
Security controls and tests need to be integrated early and everywhere in the development lifecycle, from source-code analysis through integration and post-deployment monitoring. Strong testing practices should include unit, front-end, back-end, API, database, and passive security testing (a developmental stage testing where security testing is not conducted directly on the target).
Where possible, tests must run on the source code (static analysis) as well as compiled or interpreted code. Also consider integrating dynamic application security testing (DAST) into your software development lifecycle. Unlike static analysis, which looks for potential security issues in the code itself, DAST focuses on detecting vulnerabilities in real time, while the application runs.
3. Implement secure coding practices
The best way to prevent vulnerabilities is to never code it in in the first place. Every line of code must be created with robust security in mind.
Organisations must carefully train their developers on secure coding practices (both initial and ongoing) and invest significant time, money, and resources into ensuring they can do those tasks well. Without this investment and education, efforts at embedding security into the DevOps lifecycle will fail before they even begin.
Establish clear communication channels to ensure that security experts are available at every stage and can provide support to developers whenever necessary.
It’s also critical that security specialists are given adequate time and incentives to make security training a priority at the coding level. One way to ensure this is by incorporating training and education into team and individual job descriptions and KPIs. Create reward structures that incentivise security experts to help developers code secure software, right from the start.
There will likely be a natural hesitancy from dev, ops, or DevOps teams to welcome security professionals into their “way of doing things,” and vice versa. You can counter this by offering to provide visibility and monitoring services, and demonstrating that security can keep pace with the speed with which development teams work and make sure that the development pipeline runs smoothly. Dev and security need to smoothly collaborate to map processes together and identify opportunities to bolster security, without compromising agility or disrupting the development workflow.
4. Understand that DevSecOps is a big cultural change
Adopting a DevSecOps approach is inevitably a huge undertaking for most organisations. It’s vital that you’re empathetic to just how big of a cultural transition it can be. One of the biggest challenges is simply ensuring buy-in from all stakeholders. Development, operations, and security teams often function in their isolated silos with their own agendas and sets of tasks.
To build sustainable DevSecOps processes, it’s imperative to create a persistent security culture. Traditional security cultures struggle to share information across the organisation and can be inclined to just say ‘no’. If you try to approach DevSecOps from a traditional security perspective, the velocity and cadence of your releases will stall.
Instead, the focus should be on creating a diverse working environment that values open collaboration and problem-solving, a fail-fast approach, and continuous improvement. Security must understand the engineering process and tools that enable DevOps teams to move nimbly before contributing. Many security teams fail simply because they bring current rigid security practices over to the development team, and then expect them to change how they develop code. It is therefore important to align your security practices with your development workflow in a collaborative fashion. Thereby avoiding the risk of compromising either development velocity or essential security standards.
The transition to DevSecOps needs a large amount of rethinking of development processes—by C-level execs as well as engineers. Teams already using DevOps principles are at least halfway there. DevSecOps simply takes the next logical step of integrating security with software design, development, and maintenance. Use secure coding best practices and test automation, essentially a fail-fast approach - rather than bolting it on later in the cycle (as has been the case with waterfall models).
Ultimately, getting DevSecOps right is about built-in security, open collaboration between teams, and a cultural transition. Move towards placing a greater importance on security as a wider organisational issue. Expect your strategy to mature over time and don’t spend too much time focusing on perfection—an approach of continuous improvement is a key component of building a DevSecOps mindset.