How GitHub and DevSecOps provides a seamless experience for developers

There is no doubt that enterprise IT infrastructure has undergone radical changes over the last few years. By Paul Farrington, EMEA CTO at Veracode.

While Lean DevOps has moved application development practices ahead in terms of speed, reliability and resilience, they are still often lacking in ensuring robust security. For this reason, DevSecOps was introduced into the software development lifecycle (SDLC) to bring development, operations and security together under one easily accessible umbrella.

DevSecOps streamlines the detection of insecure code at every phase, driven by enhanced automation in the software delivery pipeline. This significantly minimises the potential of human-generated mistakes and reduces the risk of future attacks and downtime. A recent State of DevOps report found 45% of companies that have fully integrated security into pipelines can close vulnerabilities within one day from discovery.

Competing demands and priorities mean developers are under intense pressure to meet tight deadlines, and often pull from open source libraries that have vulnerable code. In fact, a survey by Veracode and Enterprise Strategy Group (ESG), Modern Application Development Security, found 54% of organisations push vulnerable code just to meet critical deadlines. While developer teams plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of an organisation’s application deployments, this means the health of code – and a business’ security – is on the line.

How can companies ensure their DevSecOps practices are seamless?

By integrating DevSecOps practices and code scanning tools into popular developer environments, the process of creating secure software become seamless, improving efficiency and efficacy. For example, GitHub Actions connects tools to automate every step of the development workflow, solving the need for speed without sacrificing security and quality. This enables developers to stay on schedule by allowing them to build, test and deploy, all within the GitHub User Interface (UI) and of course at the command line too. There will be no more need to dive in and out of third-party interfaces and platforms when they have a coding issue!

When paired with the right application security (AppSec) scan types and SaaS solutions, this integration makes GitHub Actions an invaluable part of the development team’s workflow.

Tools accessible in a familiar interface mean developers can jump right into secure coding, with critical testing and analysis that won’t slow down production.

Being where developers are to deliver enhanced workflows

With native integration, developers can perform Static Analysis (SAST) scans from within their own GitHub projects, which significantly expands the testing capability for developers using GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team. Scans can complete within seconds to minutes so that pipelines flow fast, and developers can easily tune-out findings that are not relevant.

Working within the GitHub environment, developers have the control to which they are accustomed. Scan results are converted into GitHub code scanning alerts and developers receive clear remediation advice natively to keep their projects moving forward with fewer delays. Once code is at the deployment stage, the Policy Scan provides a thorough assessment of the application’s codebase and leaves an audit trail for compliance to prove security efforts.

Using technologies which are already wildly popular with developers means far less downtime and fewer bottlenecks to achieve faster innovation. With such a high frequency of commits flowing through GitHub – where more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019 - having a SaaS-based, multi-scan solution provides developer teams with a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.

Why more businesses need to develop secure software

Renowned Silicon Valley Venture Capital firm, Andreessen Horowitz, predicted the future correctly when it said, “software will eat the world”. Today, software is a critical part of our daily professional and personal lives and it is time more companies understood the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale. As our latest global research in the State of Software Security (SoSS) Report found, 76% of applications have at least one flaw, which shows the risk that still remains hidden in the software we use. By first integrating and then automating application scanning, this should reduce the risk caused by delays in remediating software flaws.

Fostering a proactive collaboration between developer teams and Application Security professionals is one way to improve the hygiene of many enterprise IT infrastructures. Having easily accessible technology to fix software vulnerabilities quickly is another. Powered by analysis of more than 21 trillion lines of code to date, our technology provides developers today with the accurate insight to naturally secure their work. This means a reduced time to market for businesses, which is certainly a competitive advantage in a troublesome global economic environment.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.