From DevOps to DevSecOps: The role of Security
Many IT organizations have recognized the benefits of an agile DevOps approach in comparison to traditional waterfall methodologies. Not only does DevOps allow teams to become more collaborative in a shared environment, it also results in faster time to market, and increased profitability that business leaders are looking for.
While integrating development and IT operation teams has been a long time coming, security is still an afterthought. According to a Threat Stack report, 52% of companies cut back on security measures to meet a business deadline. Yet we hear news of the largest corporations such as Facebook being attacked by malicious hackers looking to hamper operations, sabotage projects, and steal valuable information.
As more companies launch data-driven digital products and services to compete with businesses like WealthSimple and Uber, security of intellectual property and customer data is the business of DevSecOps.
52% of Companies Sacrifice Cybersecurity for Speed – A Threat Stack Report 2018
Integrating Security with DevOps
In the haste to keep up speed and innovation, developers tend to push security checks and coding towards the end of the development and operations cycle. Doing so introduces additional costs to fix unsecured code, and exposes security vulnerabilities for hackers to exploit.
For developers to maintain the agility they desire, security professionals must evaluate how to move security requirements earlier in the development stages with automation. Just like how application automation enables developers to treat infrastructure as code, security shouldn’t be viewed any differently.
Great Code is Secure Code
In a DevSecOps environment, security defects are found while you code, without leaving the tools you are already using – helping you create high-quality secure code. Information security teams can automate security scans with Static Application Security Testing (SAST) tools directly in the Integrated Development Environment (IDE). This helps find security flaws upfront at the code level before QA testing begins.
Testing from Outside-In
During QA testing, developers and security teams can run security vulnerability tests against a running application from an outside perspective by using tools such as Dynamic Application Security Testing (DAST). Where a SAST looks for flaws while coding, DAST probes the web interface to look for SQL injections, misconfigured servers, and authentication risks. It pings the application for security holes just like a hacker would from the outside.
Extending Security to Cloud Environments
When applications are developed in the public cloud, knowing what security levels your responsible for is a critical step. IT teams often believe security is on the onus of their public cloud provider, but in fact security is considered a shared responsibility model.
Security ownership is highly dependent upon what cloud model you use – whether it’s Platform as a Service or Infrastructure as a Service. Securing data, identity access, application level controls, network controls and the host infrastructure all need to be considered when moving applications to a public cloud environment.
Benefits of DevSecOps
Although speed is the name of the game, a secure digital enterprise is good business:
- Fixing unsecure code early will lower costs
- Avoiding public news of being breached will help maintain good brand reputation
- Strong security will help prevent legal fines by meeting data compliance requirements
- Deliver business agility without risking stability and IT governance