Once a long-established organisation prided itself on adopting DevOps for their application delivery practices and rolling out features at a rapid pace serving customers across the globe. Yet it needed to improve its security landscape for application and application infrastructure. Its traditional methods of high-level security and testing failed. As they started to implement DevSecOps, they understood it’s difficult to implement changes in large enterprises.
The above scenario is common in a lot of organisations. Given the scope and speed of the security structure required in the application landscape, it wants a framework that can help DevOps teams to better collaborate to drive DevSecOps shift. The article helps aspiring security leaders to integrate DevSecOps in the Enterprise–how to begin implementation, references to consider and how to approach security alongside DevOps in software development and engineering.
Adopt the Security Mindset–As conversations shifted to DevSecOps, Organisations went straight towards security tools, thinking it as a technology play and failed miserably. DevSecOps is a cultural or mindset challenge. As per a survey from Sonatype in 2017, 50 per cent of the developers know security is crucial but don’t have enough time to spend on security.
Leaders should drive integrating security across the organisation. With DevOps, business leaders concentrated more on the functional product delivered rapidly to the market. It is time for businesses to realise that they have to drive DevSecOps where functionality and security are not mutually exclusive outcomes. Successful teams sell the ideas of DevSecOps to the people, bring everyone on-board and then start the implementation exercise.
The implementation exercise requires hiring of new security leaders, re-skilling and up-skilling of existing talent and establishing secure DevOps pipelines. This requires training and processes to achieve a 360-degree integration of security in application development.
With the right security training, Developers are trained to think about the consequence of each code they write. This goes for all the employees involved in the application lifecycle like Product Owners, IT Managers, Testers, Business Owners, etc. For example, if they are rolling a new server, is there any risk or what is the process? The right training with appropriate transitioning time for DevSecOps will help DevOps teams to adopt security best practices across the enterprises. This will help developers understand that securing code from the initial stage is important. Product owners will understand why capturing security requirements in every user story is important. Operations are better trained to look into the infrastructure anomalies as security breaches, instead assuming that it is an infrastructure problem or software misconfiguration. Similarly, business teams can push their timelines considering why security is as important as functionality and rapid releases. Cyberattackers can use a single bad line of code causing major financial and brand losses.
With the security-first mindset DevOps teams can consider these steps to integrate security in the application development.
Securing applications by Design – Application security starts from Day 0. This means even before the development phase. Teams designing applications know that even the best laid out requirements are not of help, most of the times. Secure software designing is a challenging task and must be carried out with great precision to avoid vulnerabilities. There are few best practices teams can consider building secure applications or if exploited, recover from them immediately–
- Threat modelling
- Shift Left Security beyond Development
- Identify core pillars of Security
- Security Test Plan
- Incident Response Plan
Secure Coding Standards – When software analysis firm CAST analysed 1380 software applications, they found a whopping 1.3 million software vulnerabilities in the code.1 This emphasises the importance of secure code for any application. The best way is to start with Open Web Application Security Project (OWASP)’s a quick reference guide for coding during development. Encourage developers to use their resources fully. These guidelines also cover other coding areas like–
- Input Validation
- Output Encoding
- Authentication and Password Management
- Session Management
- Access Control
- Cryptographic Practices
- Error Handling and Logging
- Data Protection
- Communication Security
- System Configuration
- Database Security
- File Management
- Memory Management
- General Coding Practices
Developers are familiar with the OWASP Top 10, but there can be doubts where they want to cross-check on coding practices for a specific vulnerability and requirements for it. While secure coding standards eliminate the chances of flawed code, performing a code review will decrease the number of bugs passing to the release gate.
Introducing pre-release security testing early in development – DevOps teams are integrating Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools to automate security. SAST tools integrated in the build processes scans the code and prevent faulty codes to get merged with the baseline repository. DAST tools find flaws in the application while they are up and running, interacting with APIs, other web services, databases and networks. Most of the companies integrate DAST tools with the production environment. DAST tools recognise vulnerabilities in the production environment where they are already exposed for cyberthreats. Instead, DevSecOps teams can shift the security left by integrating DAST tools in the testing or pre-production environment (which is very similar to the production environments). The automated security with SAST and DAST helps team in embedding security controls early in the software development lifecycle.
Here are some of the widely used SAST and DAST tools to consider:
Continuous Monitoring – Automation of core security practices bolster security by removing the flaws of human error but requires continuous security monitoring and alerting systems to create an automated trail of changes and application performance or security issues. It is necessary for teams to measure themselves on defined metrics and improve them to stay ahead of any issues in application development. Continuously monitoring security metrics allows DevOps teams to consistently improve their security decisions and stay on top of the game.
These are the steps, if done right can help teams in securing their applications. Apart from tailored implementation and processes of DevSecOps, teams can learn from stories across various industries. DevSecOps is maturing at a rapid pace and industry has lots of failure and success stories for it. Many organisations have already integrated security practices in their SDLC, and they share their learnings.
Organisations undergoing DevSecOps practices should attend events and conferences around security. While they will not get a DevSecOps blueprint, they will be well-informed about the pitfalls to avoid. Another good approach is to engage with specialised and niche companies working in the areas of end-to-end application delivery and development.
Secure software does not happen overnight. Secured software results from developers, testers, product managers incorporating security in their day-to-day activities. As the rules of digital game is changing, security cannot be the last thing to talk about, instead it is the first thing to take care of. This is the reason Security should start from the planning, requirement analysis, design, coding, testing, deployment and real-time customer interaction. First movers are surely gaining advantage of investing security efforts and time over the competitors
Vishnu Nallani, VP & Head of Innovation, Qentelli