As more and more businesses embrace the digital age, there is a need for continuous improvement in Information Technology. But one of the biggest challenges faced is getting information security to adapt to the development processes and tools, rather than it being the other way around.
Whether an organization is using DevOps or not, they are equally responsible to produce secure and compliant code in app development. Integrating security into DevOps, however, means changing not just processes and technology, but mindsets as well.
In order for DevSecOps to be seamless, SRM (Security and Risk Management) leaders need to comply with the core nature of DevOps that combines collaboration and agility.
From 2016 to 2017, Gartner saw a fast-growing interest from clients in the areas of how to deliver DevSecOps and how to integrate security into DevOps.
From analyzing successful DevSecOps initiatives and conversations with clients, Gartner concluded that the following 10 areas are what needs to be given priority in order to implement DevSecOps:
1) Security testing tools and processes need to adapt to developers, not the other way around.
The idea is to integrate security as a continuous part of the development process. This can’t be done by forcing DevOps developers to adopt old processes of information security. Since information security professionals have always been accustomed to having developers conform to their process, it would require a change in mindset in order for things to turn around. But this will help make the “Sec” in DevSecOps silent.
2) Recognizing that it is impossible to eliminate all vulnerabilities in the development stage.
Any attempt at trying to have perfect security will only hamper the speed and agility of a developer. False positives and false negatives of vulnerabilities end up wasting a lot of time that would have otherwise been spent on moving forward with development. Instead, it would be better to implement run-time protection controls which doesn’t focus on eliminating all possible vulnerabilities. But instead can be viewed as an integrated part of DevSecOps.
3) DevSecOps needs to first focus on eliminating critical vulnerabilities that are easy to identify.
Since most developers rely heavily on prebuilt components, containers, frameworks, and libraries, security scanning can focus on removing known vulnerabilities from such elements before they even enter the production line.
4) Identify vulnerabilities in custom code.
While identifying vulnerabilities in known code is a task on its own, finding them in custom code is another challenge. SRMs need to make sure they scan for unknown vulnerabilities by tweaking or replacing the traditional testing solutions. One can’t expect to rely on traditional static and dynamic testing tools without any changes.
5) Train developers on the basics of security
Though a developer may never become a security expert, some knowledge on the subject would help them bear security in mind while they develop. Their training can help identify basic security issues/flaws during the development stage. They will also be in a better position to collaborate effectively with the security team.
DID YOU KNOW - According to Analytical Research Cognizance, the global DevSecOps market is expected to grow at a CAGR of 33.7% during the forecast period 2017-2023. The rising security breaches, awareness about DevSecOps platforms, need for improving SDLC by reducing the time wasted, and the increasing investment activities have led to the demand for DevSecOps. (Source)
6) Use a Security Champion Model
This would grant your organization an individual who will act as an expert and advisor. Such an advisor can spot potential design and implementation issues early on. These security champions can reduce the complexity of security in coding by providing immediate remedies.
7) Cut off vulnerabilities at the source
We know that developers use a number of components, frameworks, and libraries to build nearly 50-60% of the code. Rather than wait for any vulnerabilities to be introduced and then scanned, why not block these from ever entering the code?
For some organizations, the risk associated with developers downloading code directly from the internet is too high. In these cases, the download is blocked right at the source. For others, developers may be restricted to managed code repositories such as GitHub.
8) Have Operational Disciple in Automated Scripts
In your controlled disciplines, it’s important to not ignore infrastructure and the runtime platform. Source code controls should apply to the infrastructure as well, which includes version control on all software-defined items. Having these controls in place ensures that the correct version of a script is used.
9) Maintain Version Control in all disciplines
Through the development of the app, any organization should use good source code version control. Capturing every detail of changes made is vital in high-velocity environments - what was changed, who changed it when it was changed, any authorizations granted, etc. This comes in handy while trying to identify where the risks and vulnerabilities in the code came about.
10) Implementing Immutable Infrastructure
If nobody is able to make changes directly on the production systems, the infrastructure is said to be immutable. If changes are needed, it would be done back in development and then implemented by automated tools. In DevSecOps, having an immutable infrastructure mindset can proactively advance and improve security.
These strategies can help overcome the hurdles of DevSecOps. Given that the world is quickly moving into a digital business, DevSecOps will secure a strong foothold in the industry. A Gartner survey revealed that the highest ranked strategy for dealing with DevOps in a regulated environment was in a collaboration with information security.
It’s only a matter of time where everyone will gradually adopt DevSecOps to bring about a better quality of code and better security.