Five steps to integrating DevSecOps in the enterprise
Implement DevSecops in your enterprise organisation in five easy steps.
Once a long-established organisation prided itself on adopting DevOps for their application delivery practices and rolling out features at a rapid pace serving customers across the globe. Yet it needed to improve its security landscape for application and application infrastructure. Its traditional methods of high-level security and testing failed. As they started to implement DevSecOps, they understood it’s difficult to implement changes in large enterprises.
The above scenario is common in a lot of organisations. Given the scope and speed of the security structure required in the application landscape, it wants a framework that can help DevOps teams to better collaborate to drive DevSecOps shift. The article helps aspiring security leaders to integrate DevSecOps in the Enterprise–how to begin implementation, references to consider and how to approach security alongside DevOps in software development and engineering.
Adopt the Security Mindset–As conversations shifted to DevSecOps, Organisations went straight towards security tools, thinking it as a technology play and failed miserably. DevSecOps is a cultural or mindset challenge. As per a survey from Sonatype in 2017, 50 per cent of the developers know security is crucial but don’t have enough time to spend on security.
Leaders should drive integrating security across the organisation. With DevOps, business leaders concentrated more on the functional product delivered rapidly to the market. It is time for businesses to realise that they have to drive DevSecOps where functionality and security are not mutually exclusive outcomes. Successful teams sell the ideas of DevSecOps to the people, bring everyone on-board and then start the implementation exercise.
The implementation exercise requires hiring of new security leaders, re-skilling and up-skilling of existing talent and establishing secure DevOps pipelines. This requires training and processes to achieve a 360-degree integration of security in application development.
With the right security training, Developers are trained to think about the consequence of each code they write. This goes for all the employees involved in the application lifecycle like Product Owners, IT Managers, Testers, Business Owners, etc. For example, if they are rolling a new server, is there any risk or what is the process? The right training with appropriate transitioning time for DevSecOps will help DevOps teams to adopt security best practices across the enterprises. This will help developers understand that securing code from the initial stage is important. Product owners will understand why capturing security requirements in every user story is important. Operations are better trained to look into the infrastructure anomalies as security breaches, instead assuming that it is an infrastructure problem or software misconfiguration. Similarly, business teams can push their timelines considering why security is as important as functionality and rapid releases. Cyberattackers can use a single bad line of code causing major financial and brand losses.
With the security-first mindset DevOps teams can consider these steps to integrate security in the application development.
Securing applications by Design – Application security starts from Day 0. This means even before the development phase. Teams designing applications know that even the best laid out requirements are not of help, most of the times. Secure software designing is a challenging task and must be carried out with great precision to avoid vulnerabilities. There are few best practices teams can consider building secure applications or if exploited, recover from them immediately–
- Threat modelling
- Shift Left Security beyond Development
- Identify core pillars of Security
- Security Test Plan
- Incident Response Plan
- The challenges of shifting to DevSecOps
Secure Coding Standards – When software analysis firm CAST analysed 1380 software applications, they found a whopping 1.3 million software vulnerabilities in the code.1 This emphasises the importance of secure code for any application. The best way is to start with Open Web Application Security Project (OWASP)’s a quick reference guide for coding during development. Encourage developers to use their resources fully. These guidelines also cover other coding areas like–
- Input Validation
- Output Encoding
- Authentication and Password Management
- Session Management
- Access Control
- Cryptographic Practices
- Error Handling and Logging
- Data Protection
- Communication Security
- System Configuration
- Database Security
- File Management
- Memory Management
- General Coding Practices
Developers are familiar with the OWASP Top 10, but there can be doubts where they want to cross-check on coding practices for a specific vulnerability and requirements for it. While secure coding standards eliminate the chances of flawed code, performing a code review will decrease the number of bugs passing to the release gate.
Introducing pre-release security testing early in development – DevOps teams are integrating Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to automate security. SAST tools integrated in the build processes scans the code and prevent faulty codes to get merged with the baseline repository. DAST tools find flaws in the application while they are up and running, interacting with APIs, other web services, databases and networks. Most of the companies integrate DAST tools with the production environment. DAST tools recognise vulnerabilities in the production environment where they are already exposed for cyberthreats. Instead, DevSecOps teams can shift the security left by integrating DAST tools in the testing or pre-production environment (which is very similar to the production environments). The automated security with SAST and DAST helps team in embedding security controls early in the software development lifecycle.