DevSecOps

DevOps & The Secure SDLC: Breaking Down Barriers with DevSecOps

Feb 02, 2017 By Sarah Vonnegut

The adoption of DevOps in enterprises around the world has created a whole new meaning to constant, rapid innovation and delivery. Iteration after iteration, DevOps is designed to improve the end product endlessly, pushing the limits of speed and collaboration.

This emerging model of software development has created both a gap and an opportunity where security is concerned. With speed as the driving force of the DevOps movement, the perceived or actual extra time needed for security testing and remediating high-risk findings has caused security to be put on the backburner in the most important organizational change in decades. A lack of security awareness from the board to the development, QA and operations teams mean that security isn’t taken seriously at any level of the organization.

At the same time, DevOps processes create high-risk environments with endless code pushes and last minute fixes that bypass any security testing. At best, certain security tools or processes are accidentally ignored or shelved. At worst, they’re being skipped over at the request of development managers – it could even be embedded in the company culture.

 

Think about it this way: You wouldn’t build a high-speed roller coaster without safety harnesses just because it would take too much time to build them correctly.  You may have just built the fastest rollercoaster in the world – but the first person to fall off would be the end of your amusement park. In a sense, that’s where we are today. But how do we go about fixing it?

 

devopsDevSecOps as a Business Priority

 

So, in the face of being removed completely from the software development lifecycle, or SDLC,  the DevOps revolution has created an opportunity for security to be truly integrated into the SDLC, once and for all. Secure DevOps does exist and, while there are a multitude of names, from SecDevOps to Rugged DevOps, we like to call it:  DevSecOps.

 

“The purpose and intent of DevSecOps”, as DevSecOps advocate Shannon Lietz puts it here, “is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”

 

Changing the way security is integrated and how it supports the DevOps ecosystem may be a challenge – but it’s a change well-worth making. Their success hinges on having solved the two main barriers to security in DevOps: Lack of security awareness throughout the organization, and a lack of effective security automation throughout the SDLC. Without addressing these two issues, security will continue to remain a silo – and be ignored.

 

Creating a Culture of Speed AND Security Awareness

 

The need for speed and constant innovation is an order that normally comes from the top down, with the adoption and promotion of the DevOps culture coming from management. In order to shift from DevOps to DevSecOps, you’ll need commitment throughout the organization. Step one: Get your executives on board.

 

Promoting Security Awareness on the Board

 

Executives are usually keen to avoid reputational damage and liabilities, so making sure the board is up to date on the latest security and data breaches and how those companies were negatively affected is a strong case to helping executives get on board with a shift from DevOps to DevSecOps. If the burden of not correctly securing DevOps environments isn’t fully understood by the board, it’s impossible to expect the organizational structure to change.

 

It’s also important to clarify that organizations that embrace the security team within their DevOps processes are not only able to keep up with the DevOps demand – they’re often seen as companies to look up to. Offering success stories (and financial reports) from DevSecOps companies like Netflix and Etsy can make huge strides for getting the board on board.

 

Read more: Great Ways to Get Management on Your Side with Application Security

 

Promoting Security Awareness within DevOps teams

 

Security awareness on the development, QA, and operations teams ideally should start on their first days on the job. Ideally you’ll have a security onboarding procedure for new employees that cover secure coding tutorials and your company security tools, policies and procedures.

 

For veterans whose first day on the job was long ago (and likely didn’t involve security training), a different approach can be taken. This is where the idea of Application Security Champions can help make the cultural shift within DevOps teams. Pinpoint those developers who show an extra interest in security and have influence over their peers and “recruit” them to help spread word of the importance of security’s involvement in their work. Bring them to OWASP and secure coding meetups, use your newly required support of the board to encourage developers to offer monetary or other prizes to high-security performers, and most importantly – make security accessible, and wherever possible, fun for them.

 

Read more: Why You Need an AppSec Champion on Your Side

 

Automating Security Testing Throughout the SDLC

 

Automating security in alignment with the DevOps SDLC is the second crucial piece to the DevSecOps puzzle. In DevOps, automation is used to cut down on error and speed up repetitive processes in order to use actual brainpower on more important tasks. Why should security be different? By enabling developers to test their own code for security issues that would allow them to get instant results and remediate the issues on the spot, everyone wins.  Source Code Analysis, when embedded into the Development and QA ecosystems, is a core component of the move to DevSecOps.

 

To successfully automate security testing in your organization, it’s important to take the time to first understand how DevOps processes currently work, and where security can be easily automated and integrated within those processes. Furthermore, by keeping security as simple as possible and automating vulnerability reporting, you make it impossible for the DevOps teams to skip over security.

 

Watch: Software Security & Early Prevention of Vulnerable Code webinar with Troy Hunt

 

 

DevOps as a movement is still in its infancy, and AppSec practitioners still have an opportunity to make DevSecOps a reality before it’s too late. Start small, start sloppy – just start the shift towards DevSecOps. There is a place for security in DevOps, you just have to help make it happen!

 

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.