DevSecOps: embrace a ‘shift-left’ approach to put security first

If you're still trying to get your head around what DevSecOps is and how it works, we suggest starting with our DevSecOps fundamentals blog. And if you do know what sets DevSecOps apart from DevOps, and you’re taking steps to put it into practice, you also know that DevSecOps is not a quick fix.

Wherever you’re at on your DevSecOps journey, success requires significant cultural change across your organisation. That means addressing the three key components that make work happen: people, processes, and technology. In this blog, we’ll take a look at each in turn and give you an overview of what needs to change to ensure best practice.

Why are DevSecOps practices so important?

It's not enough to just say you're putting DevSecOps practices in place for security to be prioritised and amplified in your organisation. For it to take centre stage, everyone needs to be responsible and held accountable. Your software development lifecycle (SDLC) needs to be rebuilt with security in its foundations. This can only happen if the organisation embraces DevSecOps practices. 

Reassessing and reframing your approach to people, processes, and technology around security ensures your software is SAFe® and suitable for your users. Security breaches can have a serious impact on your business–from loss of IP and revenue to reputational damage. DevSecOps practices significantly mitigate the chances of a breach occurring and help ensure the right steps are taken quickly when issues arise. 

People practices

Your people are the most important asset you have, which is why their inclusion in your DevSecOps strategy is paramount. Doing DevSecOps will challenge the way many of your teams work, setting aside a traditional approach for a security-first outlook. For a successful transition, you need to get buy-in from the people who will be impacted. That means a top-down approach, where everyone is on the same page and encouraged to be involved from the start. Here are a few specific practices to focus on. 

Collaboration

Traditionally, developers, operations, and security professionals are stuck in their silos, each seeing the other as problematic. Working this way means security and engineering teams can’t scale with the speed needed, and efforts will be duplicated because of poor communication. DevSecOps is all about bringing these teams together for a more collaborative approach. 

One way of keeping a dialogue going is by installing a security champion in each team. These people are there to emphasise the importance of security, liaise with other teams about security issues, and make decisions about how to address them, fostering collaboration across the organisation.

Skills

Invest in your people so they have the awareness, skills, and expert knowledge they need to help your DevSecOps strategy soar. That means good quality training rooted in your security goals for all existing staff and new hires. It can be carried out by in-house security specialists or external expert trainers. 

Culture

DevSecOps does away with a single security team – the kind that ends up being a blocker and, as a result, is maligned and misunderstood by the rest of the business. Instead, it puts the onus on everyone at each stage of the SDLC to ensure security is front and centre when decisions get made.

Process practices

To enable your people to thrive, you need good processes in place. Otherwise, with all the good intentions in the world, DevSecOps will fail to take off. By implementing common processes across the organisation–rather than siloed ones adopted haphazardly by different teams–you can secure your SDLC and achieve the collaborative culture you’re aiming for. Here are some processes to help get you there.

Automation

You’ve probably already seen the benefits of automation with DevOps, so introducing it into your security efforts should feel like a natural progression. Automation will enable you to introduce controls and testing early and often, ensure compliance, and implement effective version control to aid recovery. It means you can meet the demands of code delivery without compromising on security–particularly important if you're pushing code to production every day or even more frequently. 

'Shift left’

DevSecOps helps create a secure workstream at every stage of the SDLC. ‘Shifting left’ is focused on integrating security at the earliest stage possible, ideally planning and requirement definition. By implementing security policies from the start, rather than relegating them to the end, you’ll keep costly mistakes to a minimum. 

Setting standards

Setting and maintaining strict coding standards will help you spot issues much earlier. Any changes that are made to code, no matter how small, should be checked against your recommendations. And standards should be regularly assessed to ensure they take any new security threats or needs into consideration.

Technology practices

Successful DevSecOps flow relies on integrating a number of tools, building security in without slowing down development. But with so many to choose from–and so many vendors claiming cure-all solutions–it can be hard to know where to start. While a single tool won't do everything, it’s worth understanding a few key practices that underpin most DevSecOps technology.

Automation

From tools that automatically trigger security tests every time a developer commits or merges their code to runtime application self-protection (RASP), which identifies and blocks inbound security threats, automation is an intrinsic part of most DevSecOps technology. You should leverage the time-saving and accuracy benefits of automatic tools to your advantage, helping to speed up security processes and avoid human error.

Testing

DevSecOps tools that carry out scans, audits, and tests through the SDLC ensure that security is part of a product’s DNA, rather than applied retroactively. Here are a few of the most common types:

• Static application security testing (SAST) is a mature tool that scans the source code repository to identify vulnerabilities. While scans can take a long time, it allows for early detection and can scale easily with your development team.
• Dynamic application scanning tools (DAST) scan staging and production sites to detect live application flows, such as user authentication and SQL injection. These are easy-to-use tools that allow for simple validation.
• Interaction application security testing (IAST) is a more recent technology that mixes SAST and DAST to provide results in real-time. Ideal for QA testing, these tools integrate seamlessly into your CI/CD pipeline.
• RASP, mentioned above, analyses user traffic and behavioural patterns to prevent attacks. It’s an extra layer of security that should be applied to a securely coded application or website.

Auditing

Automation and testing are supported by regular auditing–making sure your assets meet an internally certified security level. Auditing tools are used pre-deployment, checks triggered when target code is changed, and post-deployment, triggered by changes to policy as well as code.

Pre-deployment auditing engages security teams early on. It relies on pre-defined templates and can be applied to infrastructure as code too, ensuring your infrastructure is as compliant as your software. Post-deployment auditing is a second line of defence, checking your pre-deployment security level has been maintained.

Secure your pipeline’s future

From people and processes to the technology you choose, DevSecOps practices impact every part of your organisation for a complete transformation of how you approach and implement security. Wholly embracing these practices will give your DevSecOps strategy a much greater chance of success, while helping you build more secure software for your users.

Interested in implementing DevSecOps but aren’t sure where to start? Speak to our expert team to find out how we can help.