Introducing security to the DevOps cycle

Keeping your software delivery in peak condition. By Jeff Keyes at Plutora.

  • 3 years ago Posted in

As security is becoming an ever-more pressing challenge for businesses, ensuring that software is secure enough to prevent a cyber-criminal taking advantage of any weaknesses should be a priority. IT teams may primarily focus on making sure that their application is flawless and runs smoothly for users, but now the threat of data breaches is causing developers to reconsider how they introduce security features into software at every stage of the delivery pipeline. Finding issues at the end of this process is better than the bug going out to users, but the ideal solution is to find problems earlier so that developers can reduce the amount of backtracking through the code that is required.


DevSecOps is a philosophy that streamlines these processes by incorporating them alongside the development process to help ensure that breaches are prevented. It improves the collaboration between development and operations teams by placing security at the heart of the process and creating faster, more efficient ways to safely deliver code in an agile architecture. Essentially, DevSecOps involves adding security to the existing DevOps process, whereby automated tests, non-functional requirements and compliance gating are incorporated into the standard DevOps cycle.


So how can organisations put a fully-functional DevSecOps philosophy into practice?


Share the load across every team


Shifting the focus of security to the left in the development cycle essentially means that identifying vulnerabilities should be an integral part of the development process from the beginning. To do so, security cannot be the responsibility of a single team or person, but rather a shared initiative across IT operations, security and development teams. By making this shift in the software development lifecycle, the process will run both more quickly and more securely.


If it’s a shared responsibility, then it requires a shared knowledge of what and how to watch and implement. To be able to move left in the cycle with this shared knowledge, pipeline phases and gates need to be incorporated. By breaking down delivery into phases and gates, teams can include threat analysis as an iteration to make sure it happens, and they can incorporate non-functional requirements into the product features.


By adopting this “shifting left” philosophy, development will not only be accelerated, but it will also limit potential security threats in the future while addressing existing threats at the least cost with minimal damage to the platform.


Weave automation in from the start


Applying continuous and focused automation such as linting is essential to the success of the DevSecOps environment. Automation, when woven into the software development lifecycle from the start, can reduce the friction that occurs between security and development teams by quickly addressing existing and potential concerns at the lowest cost.


Adding automated security checks earlier in the process enables developers to work on code that is current, rather than doing a final threat push on three-sprints of code where the developers are looking back on code that was written more than six weeks ago, which can be a difficult switch of context. By eliminating this challenge, both quality and hardening are built into the code far more effectively than adding these in at the end of the process.


Get your governance in gear


Governance and DevOps are often at odds over how they make sure that there are no security issues before they go to release. Release orchestration tools can be introduced to solve this conflict, and criteria gates can be added to make sure that governance and DevOps work together.


When security testing is conducted in the development process is an important consideration in terms of lessening impact as well. Addressing security issues in completed code is much more cumbersome and expensive than addressing them while still coding. To combat this, governance also needs to be added into the beginning of processes so that it can be tracked throughout the entire lifecycle. Security teams can audit, monitor and coach the progress throughout the lifecycle as well.


Monitor your microservices for better security


In the world of legacy software, the number of interactions with other sources is not very high. In microservices, it is the complete opposite, and there is an added need to make sure all of these interactions are communicating with each other in a secure way.


Single-function modules that contain well-defined operations and interfaces are essential for successfully implementing a comprehensive DevSecOps approach. By constantly monitoring, upgrading and tweaking the microservice-based infrastructure, organisations will be better equipped for new developments.


There needs to be a concerted effort to stop leaving technical debt in the form of insecure computing. If you don’t have time to do it securely now, when will you? By going down the road of fully implementing DevSecOps philosophies, organisations will be armed with massive economic and technical advantages over less secure organisations.


Adopting a DevSecOps approach is beneficial for all parties involved, from the CEO to the end-user, as everyone can be sure that the security of the software is as tight as it can be. By integrating security much earlier in the pipeline and checking for issues throughout the process, developers can prevent vulnerabilities from ever going out to market – and in today’s competitive age, that could be the difference that makes your business come out on top.


By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.