DevOps can break traditional application security testing processes & tools. Learn why an integrated DevSecOps approach is critical to building better code.
Working in cyber security can be discouraging. Every day brings another unprotected database, another ransomware victim, a new type of fraud, or another serious vulnerability.
The perfect antidote is working toward building better software, and to that end I want to tell you about a little thing called DevSecOps.
You probably know about DevOps
DevOps is a way of building software that is based on three pillars:
1. Velocity is the first priority.
Instead of having development cycles that span months or years, DevOps focuses on quick sprints of just a few weeks. Quick cycles of small iterations keep the process nimble, making it easy to respond to changing market conditions or an evolving perception of how your product creates value.
2. Automation is crucial to achieving velocity.
The traditional steps of building, testing, packaging, and deploying software are automated as much as possible to condense the time between developers implementing software features and customers using those features.
3. Continuous improvement allows teams to optimize the process itself.
Periodically, the team takes a critical look at their software development life cycle to understand what went well and what stumbling blocks they encountered. Then they adjust the process itself so that it works better in the future.
DevOps breaks down walls between traditionally isolated teams, such as development, release management, and operations, in order to emphasize a smooth, continuous road from developers writing software to customers using that software.
Sec stands for security
DevOps is an evolved set of practices for creating software quickly, but it doesn’t directly address security. Decades of hard-earned experience have demonstrated that security cannot be bolted on to software—it only works when security is part of every phase of software development.
The recommended approach is a secure software development life cycle (SSDLC), which considers security throughout the entire software development process. Here are some examples:
- Developers and other employees receive periodic security training so that they understand risks and mitigations.
- During software design, security is a first-class consideration. Threat modeling and other analyses are performed to ensure that the software has appropriate protections baked into its design.
- Better training helps developers write better code. They are also assisted by automated solutions, such as static analysis tools and software composition analysis tools that help them locate and remediate security issues as they write code.
- During the testing phase, application security testing tools locate security vulnerabilities that can be fixed by the development team before the software is released.
- Security is an important consideration during deployment and maintenance phases as well, including security analysis of containers and continuous monitoring for new vulnerabilities in third-party software components.
The people have spoken
Computing, the UK’s leading business technology publication for IT leaders, surveyed 150 decision-makers who are involved in application development, application security, or both. These individuals represent organizations from a wide variety of industries including banking and finance, logistics, manufacturing, retail, and the government sector. The objectives of the research were to explore organizations’ strategic goals for application security (AppSec) and see to what extent they are integrating it into their DevOps environment and building a holistic DevSecOps program.
The research examines specific needs and challenges, such as automation, quick setup, ease of use, accuracy, integration, remediation guidance, and scalability. It also explores how these priorities influence the success of a DevSecOps approach.
The following is a few key findings from this research.
A focus on integrating application security testing
First, organizations were generally positive about implementing DevSecOps. Nearly half of the respondents had fully or partially integrated security testing into DevOps. Of the remainder, most had interest or were actively planning such an integration.
Figure 1: What stage is your organization at in integrating application security testing (AST) into its DevOps environment?
Interestingly, the organizations that had integrated application security testing into DevOps reported very high marks in terms of success. When asked to rank the success of their AST integration into their DevOps programs on a scale of 1 to 10, the average overall ranking is a little over 7. Almost one-fifth of respondents (19%) rate their process as 10 out of 10. Very few respondents gave a negative response, with just 9% ranking it as less than 5.
Everything is better with security
One of the most interesting findings has to do with the benefits of integrating security with software development.
Although “better application security” might seem like an obvious benefit, it’s not a given. Organizations that feel pushed into application security testing due to compliance or governance pressures might perform the testing but never use the results. The survey results paint a different picture; it shows organizations that are integrating security testing and making good use of the results to improve their products.
Even better, an integrated DevSecOps approach provides numerous other benefits. In essence, DevSecOps makes application security testing invisible—it’s an integrated, automated part of the software development life cycle, which means that security vulnerabilities just go into the issue tracker like anything else. With integrated security testing, the development team finds and fixes more bugs before release, so the resulting product is better, safer, more secure, and more resilient. It just works better.
Figure 2: Which of the following benefits have you experienced as a result of building a more integrated DevSecOps approach?
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Jonathan Knudsen. Read the original post at: https://www.synopsys.com/blogs/software-security/application-security-testing-devops/