Pamela, Product Head of an ISV, envisions the transformation of her team’s Dev and Ops processes. Pamela establishes a DevOps team to facilitate ‘continuous everything.’ She intends to achieve unmatched product quality, process automation, and risk-averse digital infrastructure. Six months down the line – her team witnessed a faster development cycle. But Pamela isn’t satisfied. This is because, in the last six months, a couple of security incidents have been reported. After investigation, the cause was identified as undetected bugs, which were there right from the coding environment.
Well, the fact remains that Pamela and her team aren’t only one to suffer. Per the 2019 Sonatype DevSecOps survey, every one in four companies has experienced a breach in 2018-2019.
DevOps Mantra – Make Security its Core and not just a Preservative
It is awesome how DevOps automates development, production, testing, and deployment environment. However, the automation chain often ignores the essential security protocols. Therefore, data, which is left unencrypted in the development environment, becomes an easy target for breaches. So, the key is to integrate security right at an earlier stage.
When practicing DevOps, there are multiple changes in codes in less time. The speed often outdoes the security team’s efforts and leaves them flat-footed. This poor alignment between teams results in a lack of security disciplines – unplanned vulnerabilities, less robust codes, insecure passwords, to name a few. The Sonatype survey states that 48 percent of respondents admitted lack of time for not practicing security at an early stage of the SDCL lifecycle. An interesting thing to note is that this number hasn’t gone down since 2018.
Honestly, DevSecOps completes the DevOps lifecycle by injecting security into its core. It helps companies transcend into a broader security blanket with source code analysis, vulnerability testing, penetration testing, and access management, among others.
However, having in place a DevSecOps guide has been a matter of concern. Let us analyze the top two challenges experienced by organizations in implementing DevSecOps.
Neutralizing corporate mindsets to accepting the change is like untying an intricate knot. You need to bring the team on one page and show them the bigger picture. Make them realize the long-term benefits of practicing security since inception. The Sonatype survey says that only one in four respondents believe that safety and quality run parallel.
A 2018-2019 survey, which was based on DevOps, showed that 58 percent of tech leaders think lack of skills hinders the embedment of security and testing within the SDCL. Lack of expertise will make the complete DevSecOps plan vulnerable. What to do is essential, but how to do is the key. Often organizations lack the skills to design an effective DevSecOps plan with defined milestones, clear operative procedures, and deliverables and project owners.
Mapping DevSecOps process flow within an organization and ensuring its success requires the right mix of tools, policies, methodologies, and practices. The bottom-line remains smooth synchronization between Dev, Ops, and the Infosec team. So, let us now look at the five-pointer DevSecOps security checklist that can be included as DevSecOps best practices.
1 Embrace Automation
The standard requirement for continuous testing and continuous integration is speed, which makes automation a fundamental requirement. Therefore, having essential security controls and trigger points is essential. Per the Sonatype 2019 survey, 63 percent of the respondents said to have automated their security practices.
Further, it is also vital to have mindful automation is place. For example, your source code scan need not be done for the whole application daily. It can be confined to the daily codes committed only.
Also, the key is to have not only static application security testing but also include dynamic application security testing. This way, we will ensure vulnerability scanning in real-time. It is equally important to have a relevant and optimal set of tools that will infuse automation to your configuration management, code analysis, patching, and access management.
2 Risk Management of Third-Party Tools & Technologies
The use of open source technologies for application development is on the rise. Per the 2019 Red Hat report, 69% of respondents believe that open source technology is crucial. However, there are security concerns around the use of open source technologies that must be addressed.
The Red Hat report cites – “Security is still cited as an open-source concern. Some of that fear likely stems from general security concerns since hacks and data breaches seem to be daily news. This concern may also reflect how unmanaged open source code—found across the web or brought in through dependencies—can introduce vulnerabilities in both open source and proprietary solutions.”
Developers are too busy to review open-source codes. This might bring unidentified vulnerabilities and other security issues on the codes. Therefore, code dependency testing is necessary. Having an OWASP utility check will ensure that there is no vulnerability in codes, which are dependent on open-source components.
3 Uniform Security Management Process
The security team will usually post the bugs report in different bug repositories. Developers don’t have the bandwidth to check all the reports. And top of it, multiple priorities result in precedence to functional testing over security issues. Therefore, it is fundamental to DevSecOps to have in place a uniform security application management system. This way any modification in codes is reflected in one place. The security team is also immediately notified of executing the authentication-testing protocol.
Another critical point is to follow the ‘secure by design’ principle via the automation of security tasks. This helps to create and maintain collective software and security elements like correct authorization, control mechanisms, audit management, and safety protocol. Resultant – a transparent security culture.
4 Integrating Application Security System with Bugs Tracker
The application security system should be integrated with your task management system. This will create a list of bugs tasks automatically that can be executed by the infosec team. Additionally, it will provide actionable details such as the nature of the bug, its severity and treatment required. Thus, the security team becomes empowered to fix issues before they land to the production and deployment environment.
5 Threat Modeling – The Last Key
The SANS Institute advocates risk assessment before implementing DevSecOps methodology. Following threat modeling will result in risk-gap analysis – helping you identify software components, which are under threats, level of threats, and possible solutions to counter those threats.
In fact, with threat modeling, the development team is equipped to locate fundamental glitches in the architecture. This way they can make necessary changes in application designs.
The ferocious rise in the competition demand reduction in time-to-market of the application. This must be supplemented with superior quality. Therefore, DevOps as a practice is only expected to increase. Rendering DevSecOps services for a while now, we have realized that imbibing security right from the early stages is only the key to maintain zero deployment downtime. Organizations must be thoughtful while shifting to Dev + Security + Operations. They should follow the idea of the People>Process>Technology. And, while doing so, the above 5 DevSecOps best practices will lay the foundation.