The worlds of software development and IT have changed tremendously over the last two decades. Software development evolved from the slow and rigid Waterfall model to the flexible and agile approach of DevOps. IT organizations evolved from using slowly provisioned on-premises infrastructure to the fast-paced environment of the cloud. As software development and IT shifted, cybersecurity professionals had to adapt to the change. DevSecOps — the process of integrating security into the DevOps lifecycle — is the most recent example of that adaptation.
DevSecOps is the natural consequence of shortening the development lifecycle. As a result of pressure to rapidly move code from development into production, there is no longer enough time for lengthy security review and testing processes. The goal of DevSecOps is to shift security left in the process. To achieve this, the operational work of security testing must be moved from dedicated security teams into the hands of developers. This enables developers to rapidly integrate the results of that testing into their code.
Here, explore a few methods to shift software development processes from DevOps to DevSecOps.
Integrate security into existing work patterns
The most common reason developers bypass security testing is that it is often inconvenient. The purpose of the DevOps philosophy is to reduce the administrative burden of software development and get working code into production quickly. When transitioning from DevOps to DevSecOps, security efforts can succeed by embracing this same philosophy. Help developers by making security testing easy for them. Tools should be automated as much as possible, and the results should be easy to interpret. Report issues directly into whatever issue tracking systems developers already use to track software flaws.
Select the right tools to streamline development processes
Automating work and providing easy-to-interpret results require the use of tools designed to fit into a DevSecOps workflow. Security professionals should be open-minded about the testing tools in their arsenal. This includes potentially adopting new tools that achieve their security objectives in a manner far more efficiently integrated into the DevOps lifecycle. Look for tools with fully functional APIs and flexible reporting options.
Educate developers on security foundations
Developers cannot fix issues they do not understand. They must have a strong knowledge of common cybersecurity issues and how they might appear in their work. They also need to understand the secure coding practices that will protect them from common vulnerabilities. But the burden of security training does not need to fall on infosec teams or other in-house staff. There are many learning providers that already have secure coding programs available to use. Take advantage of those to more seamlessly transition from DevOps to DevSecOps.
It is also important to recognize that training doesn’t need to cover exotic issues. When reviewing security testing results, it is often the case that the most common issues arising in code today are the same SQL injection and cross-site scripting issues that plagued the industry five or more years ago. Help developers master the basics before moving on to more advanced concepts.
DevSecOps is a partnership between software developers and cybersecurity professionals. Teams that provide developers with the knowledge and tools they need to write and test secure code — and do so in a manner that integrates directly into their existing work — will achieve the best results.
This was last published in April 2020
Dig Deeper on Secure software development