The Keys for Successful DevSecOps
Organizations of all sizes and across all industries have embraced DevOps culture and practices. DevOps provides a variety of benefits that help accelerate development and deployment of applications, but it’s also important not to let security slip in the process. DevSecOps has arisen in the wake of DevOps as an initiative to ensure security has a seat at the table and that the code developed out of DevOps principles is secure.
While I was at the Black Hat conference in Las Vegas last month, I had an opportunity to sit down with Sameer Dixit, Vice President of Security Consulting for Spirent, and other members of the Spirent team to discuss DevSecOps and the keys necessary to make it successful. We began the conversation by establishing the security should really be an inherent part of anything you do in IT. How can you build a network or develop an application without security? It seems like a reasonable question, and yet it is still an issue faced by most organizations.
Sameer shared that there are essentially two key elements for successful DevSecOps: training and automation. Training is key because you can’t expect someone new—fresh out of college or whatever—to just know how to write secure code. Secure coding practices need to be taught and the skills of the developer should mature over time with practice.
Today In: Innovation
The second—and arguably more important—key is automation. Sameer shared that one of the biggest points of contention between developers and operations are time delays in deployment or productivity. Adding steps to develop more secure code could potentially make things more complex and slow things down, so it’s important to streamline security as much as possible.
With automated security scanning integrated into the CI / CD (continuous integration and continuous deployment) pipeline, code can be scanned automatically as it is checked in to a platform like Jenkins. The developer receives feedback that details any issues that are identified so they can be corrected. Over time, each developer should learn from the process and hone their skills—iterating over time so that there are fewer issues or less severe issues discovered. Ultimately, this process should lead to accelerated development timeframes as developers’ skills mature.
Japan BRANDVOICEHow Japan’s Biggest Biotech Is Pioneering New Peptide-Based DrugsUNICEF USA BRANDVOICETens Of Thousands Of Children In Syria’s Al-Hol Camp Need Help NowVizio P Series Quantum X 2019 Review: An Impressive 4K TV With Outstanding Peak Brightness
Of course, secure code is only part of the DevSecOps equation. The operations side has some of its own issues to deal with—some of which impact developers as well. Many organizations still rely on outdated hardware, unsupported operating systems, and legacy protocols. Code often has to be written to cater to these archaic standards. Even when code is written for current systems and protocols, the systems and applications they connect to may be require that they revert to older versions through backwards compatibility. Dependence on outdated hardware and software and the effort to work smoothly with those legacy technologies makes successful implementation of DevSecOps that much harder.
Hopefully a day will come when security doesn’t feel like an afterthought, and we don’t have to have a completely separate initiative to make it a thing. It would be nice for DevOps to just inherently include secure coding practices and cybersecurity principles by default. For the time being, though, most organizations will probably benefit from focusing on these keys of DevSecOps.