Thursday, 24th June 2021

How GitHub and DevSecOps provides a seamless experience for developers

There is no doubt that enterprise IT infrastructure has undergone radical changes over the last few years. By Paul Farrington, EMEA CTO at Veracode.

While Lean DevOps has moved application development practices ahead in terms of speed, reliability and resilience, they are still often lacking in ensuring robust security. For this reason, DevSecOps was introduced into the software development lifecycle (SDLC) to bring development, operations and security together under one easily accessible umbrella.

DevSecOps streamlines the detection of insecure code at every phase, driven by enhanced automation in the software delivery pipeline. This significantly minimises the potential of human-generated mistakes and reduces the risk of future attacks and downtime. A recent State of DevOps report found 45% of companies that have fully integrated security into pipelines can close vulnerabilities within one day from discovery.

Competing demands and priorities mean developers are under intense pressure to meet tight deadlines, and often pull from open source libraries that have vulnerable code. In fact, a survey by Veracode and Enterprise Strategy Group (ESG), Modern Application Development Security, found 54% of organisations push vulnerable code just to meet critical deadlines. While developer teams plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of an organisation’s application deployments, this means the health of code – and a business’ security – is on the line.

How can companies ensure their DevSecOps practices are seamless?

By integrating DevSecOps practices and code scanning tools into popular developer environments, the process of creating secure software become seamless, improving efficiency and efficacy. For example, GitHub Actions connects tools to automate every step of the development workflow, solving the need for speed without sacrificing security and quality. This enables developers to stay on schedule by allowing them to build, test and deploy, all within the GitHub User Interface (UI) and of course at the command line too. There will be no more need to dive in and out of third-party interfaces and platforms when they have a coding issue!

When paired with the right application security (AppSec) scan types and SaaS solutions, this integration makes GitHub Actions an invaluable part of the development team’s workflow.

Tools accessible in a familiar interface mean developers can jump right into secure coding, with critical testing and analysis that won’t slow down production.

Being where developers are to deliver enhanced workflows

With native integration, developers can perform Static Analysis (SAST) scans from within their own GitHub projects, which significantly expands the testing capability for developers using GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team. Scans can complete within seconds to minutes so that pipelines flow fast, and developers can easily tune-out findings that are not relevant.

Working within the GitHub environment, developers have the control to which they are accustomed. Scan results are converted into GitHub code scanning alerts and developers receive clear remediation advice natively to keep their projects moving forward with fewer delays. Once code is at the deployment stage, the Policy Scan provides a thorough assessment of the application’s codebase and leaves an audit trail for compliance to prove security efforts.

Using technologies which are already wildly popular with developers means far less downtime and fewer bottlenecks to achieve faster innovation. With such a high frequency of commits flowing through GitHub – where more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019 - having a SaaS-based, multi-scan solution provides developer teams with a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.

Why more businesses need to develop secure software

Renowned Silicon Valley Venture Capital firm, Andreessen Horowitz, predicted the future correctly when it said, “software will eat the world”. Today, software is a critical part of our daily professional and personal lives and it is time more companies understood the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale. As our latest global research in the State of Software Security (SoSS) Report found, 76% of applications have at least one flaw, which shows the risk that still remains hidden in the software we use. By first integrating and then automating application scanning, this should reduce the risk caused by delays in remediating software flaws.

Fostering a proactive collaboration between developer teams and Application Security professionals is one way to improve the hygiene of many enterprise IT infrastructures. Having easily accessible technology to fix software vulnerabilities quickly is another. Powered by analysis of more than 21 trillion lines of code to date, our technology provides developers today with the accurate insight to naturally secure their work. This means a reduced time to market for businesses, which is certainly a competitive advantage in a troublesome global economic environment.

By Jennifer LuPiba, Senior Product Marketing Manager at Quest Software.
The cybersecurity landscape continues to evolve as cyber criminals become ever more sophisticated, a...
By Vincent Berk, Chief Security Architect, Riverbed Technology.
By Darren Guccione, CEO & Co-founder of Keeper Security.
By James Preston, Security Architect for ANSecurity.
By Mario Espinoza is Vice President of Data Protection at Palo Alto Networks.
By Tod Beardsley, research director, Rapid7.
By John Fedoronko, Vice President of Sales – EMEA, ReliaQuest.