DevOps can break traditional application security testing processes & tools. Learn why an integrated DevSecOps approach is critical to building better code.
Working in cyber security can be discouraging. Every day brings another unprotected database, another ransomware victim, a new type of fraud, or another serious vulnerability.
The perfect antidote is working toward building better software, and to that end I want to tell you about a little thing called DevSecOps.
DevOps is a way of building software that is based on three pillars:
Instead of having development cycles that span months or years, DevOps focuses on quick sprints of just a few weeks. Quick cycles of small iterations keep the process nimble, making it easy to respond to changing market conditions or an evolving perception of how your product creates value.
The traditional steps of building, testing, packaging, and deploying software are automated as much as possible to condense the time between developers implementing software features and customers using those features.
Periodically, the team takes a critical look at their software development life cycle to understand what went well and what stumbling blocks they encountered. Then they adjust the process itself so that it works better in the future.
DevOps breaks down walls between traditionally isolated teams, such as development, release management, and operations, in order to emphasize a smooth, continuous road from developers writing software to customers using that software.
DevOps is an evolved set of practices for creating software quickly, but it doesn’t directly address security. Decades of hard-earned experience have demonstrated that security cannot be bolted on to software—it only works when security is part of every phase of software development.
The recommended approach is a secure software development life cycle (SSDLC), which considers security throughout the entire software development process. Here are some examples:
Computing, the UK’s leading business technology publication for IT leaders, surveyed 150 decision-makers who are involved in application development, application security, or both. These individuals represent organizations from a wide variety of industries including banking and finance, logistics, manufacturing, retail, and the government sector. The objectives of the research were to explore organizations’ strategic goals for application security (AppSec) and see to what extent they are integrating it into their DevOps environment and building a holistic DevSecOps program.
The research examines specific needs and challenges, such as automation, quick setup, ease of use, accuracy, integration, remediation guidance, and scalability. It also explores how these priorities influence the success of a DevSecOps approach.
The following is a few key findings from this research.
First, organizations were generally positive about implementing DevSecOps. Nearly half of the respondents had fully or partially integrated security testing into DevOps. Of the remainder, most had interest or were actively planning such an integration.
Figure 1: What stage is your organization at in integrating application security testing (AST) into its DevOps environment?
Interestingly, the organizations that had integrated application security testing into DevOps reported very high marks in terms of success. When asked to rank the success of their AST integration into their DevOps programs on a scale of 1 to 10, the average overall ranking is a little over 7. Almost one-fifth of respondents (19%) rate their process as 10 out of 10. Very few respondents gave a negative response, with just 9% ranking it as less than 5.
One of the most interesting findings has to do with the benefits of integrating security with software development.
Although “better application security” might seem like an obvious benefit, it’s not a given. Organizations that feel pushed into application security testing due to compliance or governance pressures might perform the testing but never use the results. The survey results paint a different picture; it shows organizations that are integrating security testing and making good use of the results to improve their products.
Even better, an integrated DevSecOps approach provides numerous other benefits. In essence, DevSecOps makes application security testing invisible—it’s an integrated, automated part of the software development life cycle, which means that security vulnerabilities just go into the issue tracker like anything else. With integrated security testing, the development team finds and fixes more bugs before release, so the resulting product is better, safer, more secure, and more resilient. It just works better.
Figure 2: Which of the following benefits have you experienced as a result of building a more integrated DevSecOps approach?
Jonathan Knudsen likes to break things. He has tested all kinds of software, from network infrastructure and medical devices to cryptocurrency nodes. Jonathan has worked as a developer, consultant, and author. He has published books about 2D graphics, cryptography, and Lego robots, and has written more than one hundred articles on a wide range of technical subjects.