Automation is one of the keys to consistent and meaningful AppSec adoption in an evolving world. Many organizations have taken the first step in integrating their development and operations teams to drive more efficient delivery of applications and innovation to the market. They have come a long way by aligning around the shared goal of delivering stable, high-quality software quickly. One way they are achieving these efficiencies is through automation.
By automating manual processes and building tools into continuous integration and continuous delivery (CI/CD) pipelines, development and operations teams have increased workflow efficiencies and trust between groups, which is essential as these once-disparate teams now merge to tackle critical issues as a single new team. We see the use and expansion of automation in the integration of tools such as GitLab for version control, Jenkins for CI, Jira for defect tracking, and Docker for container integration within toolchains. These tools work together to create a cohesive automated environment designed to allow organizations to focus on delivering higher-quality innovation faster to the market.
Organizations are also realizing there is value in applying and sharing the value of automation by incorporating security principles earlier in the software development life cycle (SDLC). This creates shorter feedback loops and decreases friction, which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows.
Enter DevSecOps. Automation in DevSecOps is the common denominator. It empowers development, security, and operations roles in the unified DevSecOps team to collaborate and scale their perspectives across the SDLC regardless of the deployment framework—on-premises, private cloud, public cloud, or hybrid. It accelerates security by making it a frictionless part of an organization’s new culture.
According to the latest BSIMM report, BSIMM9, automation can play a critical role in the successful integration of security into DevOps. Here are some key activities and practices from the BSIMM that support DevSecOps:
Although automation in DevSecOps is critical, it is not a substitute for all manual efforts. You still need to focus on the design of applications and on infrastructure support of application and security controls. It is important to identify potential weaknesses that may increase your system’s susceptibility to an attack, including where your design violates secure design patterns, your system omits security controls, or those security controls suffer from misconfiguration, weakness, or misuse.
While many organizations are making progress in replacing organizational silos with DevSecOps teams and implementing CI/CD workflows, the benefits of automation in DevSecOps—streamlined, collaborative development, security, and operation approaches—are clear: They enable organizations to bring high-quality, secure features and improvements to the market faster.