DevSecOps: Making Security a Priority From the Start

DevOps is no longer just a concept about how businesses attempt to understand how development and operations can be combined to create a single working strategy. Many development teams have begun adopting this methodology, and it’s bringing up the question of where and how security fits into the process. Currently, security can be left until the last moment, which in today’s threat landscape is becoming increasingly risky. To combat this, there is an increasing desire to integrate security earlier to raise the quality and efficiency of applications. However, by developing a DevSecOps approach, businesses can benefit from more effective and trustworthy security that is prioritized throughout the pipeline.

DevSecOps is the process of incorporating security into the development process at the point where you have the most ability to pivot away from problems. It includes the process of assessing and addressing potential threats and strengthening attack surfaces. It also commonly includes penetration testing, code scanning and analysis, threat modeling and vulnerability assessments, compliance auditing and all of the associated training that these require.

Basically, DevSecOps brings security to the existing DevOps process, whereby automated tests, non-functional requirements and compliance gating are inserted into the standard DevOps cycle. The end result is that the full cycle includes automated and manual activities that are intended to verify whether or not the code is reliable.

The combination of dividing delivery into phases with criteria gates and the non-functional requirements (such as documentation, threat modeling, pen-testing, etc.) ensures a higher level of quality than attempting to resolve security issues at the end of the process.

For Higher-Quality Code, Automate Security

When DevSecOps is built on CI/CD pipelines, it introduces the ability to run multiple automated security tests, which include static code analysis, vulnerability scanners, malware scanners and automated tests that focus on security. DevSecOps essentially means automating these security checks, thus making them faster, more thorough and more effective.

When automated security checks are introduced earlier in the process, it enables developers to work on code that is current, rather than doing a final threat push on 3-sprints of code and asking developers to look back on code that was written more than six weeks ago, which, by then, can be rendered out of context. By eliminating this challenge, both quality and hardening are built into the code more effectively than trying to add them in at the end of the process.

As developers incorporate these new activities into their regular routine, everyone becomes more security-minded and more likely to flag anything perceived to be a security risk that might not have been caught until a full security review later in the process. The bonus of taking this approach is that through security improvements, the overall quality of the code improves as well and makes it more trustworthy for businesses.

Practice Makes Perfect in DevSecOps

Starting with a baseline threat modeling session helps teams get a sound understanding of the current threat surfaces. This creates a foundation for changes to existing processes in the future and makes the transition to DevSecOps—and keeping security top of mind—easier in the long term. One method of doing this could be through external consultants, as they can be hugely beneficial in helping businesses get to grips with this approach.

Once a threat modeling session has been conducted, implementing automated code scanners can reduce time spent manually ensuring that developers react to the discoveries they make. And, most importantly, ensure that you don’t repeat the same mistakes over and over. This approach will only increase efficiency if lessons are learned and new methods are integrated quickly. Implementing security training for development teams will reinforce the importance of this and ensure that employees are up to speed on the latest security requirements and solutions.

Get Started on DevSecOps, One Step at a Time

Teams don’t need to incorporate DevSecOps in one single step; it can be a gradual process implemented in stages with teams doing a little more in each iteration. Start by incorporating pen testing, automated code scanning, vulnerability scanning and malware checking into the development cycle and build from there. Though this sounds time-consuming, in reality it shouldn’t take long once the ball is rolling. And, once it begins, organizations can methodically integrate more security layers into the existing process, as opposed to entirely changing the system that developers know and trust.

Successful application delivery is the end goal for anyone working on the CI/CD pipeline, and it boils down to the quality of the final application. Businesses shouldn’t let security be a roadblock—it should be one of the main priorities throughout the process, and by automating many of the security checks, teams can be confident that any challenges will be fixed along the way. DevOps teams need to stop closing their eyes to their security problems and take action now to integrate more effective and reliable security measures into all applications for the future.

Jeffrey Keyes

Avatar photo

Jeffrey Keyes

Jeff has spent his career writing code, designing software features and UI, running dev and test teams, consulting and evangelizing product messaging. Outside of 6 years at Microsoft, he has been primarily focused on growing startup companies.

jeffrey-keyes has 1 posts and counting.See all posts by jeffrey-keyes