Automation: One of the keys to DevSecOps
Automation is one of the keys to consistent and meaningful AppSec adoption in an evolving world. Many organizations have taken the first step in integrating their development and operations teams to drive more efficient delivery of applications and innovation to the market. They have come a long way by aligning around the shared goal of delivering stable, high-quality software quickly. One way they are achieving these efficiencies is through automation.
Automation in DevOps
By automating manual processes and building tools into continuous integration and continuous delivery (CI/CD) pipelines, development and operations teams have increased workflow efficiencies and trust between groups, which is essential as these once-disparate teams now merge to tackle critical issues as a single new team. We see the use and expansion of automation in the integration of tools such as GitLab for version control, Jenkins for CI, Jira for defect tracking, and Docker for container integration within toolchains. These tools work together to create a cohesive automated environment designed to allow organizations to focus on delivering higher-quality innovation faster to the market.
Automation in DevSecOps
Organizations are also realizing there is value in applying and sharing the value of automation by incorporating security principles earlier in the software development life cycle (SDLC). This creates shorter feedback loops and decreases friction, which allows engineers to detect and fix security and compliance issues faster and more naturally as part of software development workflows.
Enter DevSecOps. Automation in DevSecOps is the common denominator. It empowers development, security, and operations roles in the unified DevSecOps team to collaborate and scale their perspectives across the SDLC regardless of the deployment framework—on-premises, private cloud, public cloud, or hybrid. It accelerates security by making it a frictionless part of an organization’s new culture.
How to automate the Sec in DevSecOps
According to the latest BSIMM report, BSIMM9, automation can play a critical role in the successful integration of security into DevOps. Here are some key activities and practices from the BSIMM that support DevSecOps:
- Software Environment 3.5: Use orchestration for containers and virtualized environments. Apply and provision repeatable security best practices through the orchestration of containers and other virtualized environments.
- Software Environment 3.6: Enhance application inventory with operations bill of materials. Inventory your applications and components in a bill of materials (BoM). Identify all open source in use, whether whole components or code snippets.
- Software Environment 3.7: Ensure cloud security basics. If you’re in the cloud, ensure cloud security features and controls (some of which may be built-in) are applied.
- Standards & Requirements. Integrate security standards and guidelines into development environments (e.g., work them into the IDE). Guidance can be explicitly linked to code examples or even containers to make them more actionable and relevant.
- Code Review. Define the code review process to make code review more efficient and consistent and to bring security expertise to reviewers who are not security experts.
- Security Testing 2.5: Include security tests in QA automation. Run these tests alongside functional tests as part of automated regression testing.
But automation is just one factor
Although automation in DevSecOps is critical, it is not a substitute for all manual efforts. You still need to focus on the design of applications and on infrastructure support of application and security controls. It is important to identify potential weaknesses that may increase your system’s susceptibility to an attack, including where your design violates secure design patterns, your system omits security controls, or those security controls suffer from misconfiguration, weakness, or misuse.
While many organizations are making progress in replacing organizational silos with DevSecOps teams and implementing CI/CD workflows, the benefits of automation in DevSecOps—streamlined, collaborative development, security, and operation approaches—are clear: They enable organizations to bring high-quality, secure features and improvements to the market faster.