DevSecOps

Extending DevOps to application security

At a Glance:

DevSecOps is a continuation of the DevOps concept; it enforces the idea that every employee and team is responsible for security, and that decisions need to be reached efficiently and put into action without sacrificing security. Getting new code out to production faster is a goal that often drives new business, however in today's world, that goal needs to be balanced with addressing security.

What Is DevOps?

DevOps, in turn, is a set of methodologies (people, process, and tools) that enable teams to ship better code—faster. It enables cross-team collaboration that is designed to support the automation of software delivery and decrease the cost of deployment. The DevOps movement has established a culture of collaboration and an agile relationship that unites the Development, Quality Engineering, and Operations teams with a set of processes that fosters high-levels of communication and collaboration.

DevOps and Application Security

Web applications have become a primary target for attackers for multiple reasons: 

1. They are open for business and easily accessible: Companies rely on firewalls and network segmentation to protect critical assets. Applications (and ultimately web application vulnerabilities) are exposed to the internet in order to be used by customers. Therefore, they are easy to reach when compared to other critical infrastructure, and malicious attackers are often masked as legitimate desired traffic.

2. They hold the keys to the data kingdom: Web Applications frequently communicate with databases, file shares, and other critical information.  Because they are close, if they are compromised it is easier to reach this data which can often times be some of the most valuable.  Credit Card, PII, SSN, and proprietary information can be just a few steps away from the application.

3. Penetrating applications is relatively easy: There are tools available to attackers that allow them to point-and-shoot at a web application to discover exploitable vulnerabilities.

Web application security testing is critical, especially since most application vulnerabilities are found in the source code. Dynamic Application Security Testing (DAST) is a primary method for scanning web applications in their running state to find vulnerabilities which are usually security defects that require remediation in the source code. These DAST scans help developers identify real exploitable risks and improve security.

In a true DevSecOps mindset, it’s important to understand that it’s possible to implement web application scans early in the software development lifecycle (SDLC) without taking additional time for developers or testers. When dynamic application security testing first became popular, security experts typically conducted the tests at the end of the software development lifecycle. That only served to frustrate developers, increase costs and delay timelines. In DevSecOps, that stage occurs at the start instead of the end of the development lifecycle.

Adopting a DevSecOps Mindset

Much like DevOps, partnerships and collaboration is what DevSecOps is all about. It’s critical that security and development teams get together to understand the risks that the other team faces. Effective methods of integrating security testing into the SDLC include:

  • Using continuous integration solutions to ensure security testing is conducted easily and automatically before an application goes into production.
  • Implementing issue tracking to ensure an application security solution automatically sends defects to an issue tracking solution used by the development and QA teams.
  • Leveraging automation and testing to make security tests even more effective.

There are many benefits of embedding application security earlier into the SDLC; if you treat security vulnerabilities like any other software defect, you save money and time by finding them earlier when developers and testers are working on the release.