In a recent episode of AppSec Decoded, Taylor Armerding, a security advocate with the Synopsys Software Integrity Group, spoke with resident expert Stephen Zimmerman about DevSecOps. Zimmerman discusses the common perception among developers and operations teams alike that security testing adds friction, hindering development velocity. He offers insights and recommendations on how to properly plan and implement a DevSecOps strategy.
DevSecOps recommendation 1: Make security cross-functional teams’ responsibility
Zimmerman elaborates on the idea that security is everyone's responsibility. He outlines the importance of aligning organizational goals and considering each team's unique requirements and limitations when adopting DevSecOps. He champions "organizational alignment," a concept that ensures every stakeholder has a seat at the strategy and planning table.
DevSecOps recommendation 2: Implement frequent testing of critical applications
The second recommendation Zimmerman offers is to increase the frequency of testing critical business applications. He notes that challenges arise with improper planning and misaligned strategy, often resulting in development pipelines grinding to a halt. Zimmerman argues that an appropriate allocation of resources and time to perform these tests coupled with automated testing efforts, founded on established policies and pipeline triggers, can circumvent these issues.
DevSecOps recommendation 3: Embrace 'shift left' security culture
Zimmerman concludes the conversation with the recommendation to foster a security culture, embracing "shifting left" or "shifting everywhere." This refers to finding and fixing defects, bugs, or flaws as early as possible in the development process. He notes that this approach not only fosters a security-centric mind-set across the team but also speeds up the process of fixing vulnerabilities and shipping secure code. It also helps reduce risk and garner broader awareness.
Zimmerman's insights into the planning and implementation of a DevSecOps strategy address common concerns around how security testing often slows down development and operations. He underscores the idea that creating a cross-functional culture of security responsibility, implementing frequent testing of critical applications, and fostering a security-focused mindset, can help organizations avoid friction and accelerate development velocity. His expert recommendations shed light on how to strike a balanced blend of speed, efficiency, and security in today's fast-paced DevSecOps world. For a more in-depth understanding, readers can access the Global State of DevSecOps 2023 survey.