The challenges of shifting to DevSecOps

null

With software security blunders making headlines and businesses feeling increasing pressure to deliver software faster, development and security teams have been tasked to devise a strategy to satisfy demands for more secure software and more rapid application development. These combining forces have led to the emergence of DevSecOps, which represents a shift in IT culture to accommodate the growing need for both security and speed.

A recent report published by Gartner asserts that by 2021, DevSecOps practices will be embedded in 80 per cent of development teams, up from 15 per cent in 2017. The same report predicts that by 2019, more than 70 per cent of enterprise DevSecOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages—up from less than 10 per cent in 2016. DevSecOps initiatives are gaining traction among organisations that want to increase their speed and cut the costs of development while improving application security.

Although development teams have adopted DevOps methodologies to meet tight deadlines, these agile practices pose new challenges to integrating security testing tools into the software development life cycle (SDLC):

  • Development teams bear more direct responsibility for finding and fixing problems, yet many developers have limited experience with secure coding practices. Development team leaders struggle to create consistent, repeatable processes that enable developers with various skill sets to find and fix security weaknesses quickly.
  • The SDLC is not as clear-cut as it once was, obscuring the roles of traditional security tools and methods. More organisations have moved away from a waterfall approach and are implementing a more iterative, continuous process that isn’t compatible with many legacy security testing tools and techniques. Additionally, tech stacks include a wide range of frameworks and languages, including open source code, which are compiled together.
  • Many developers are disenchanted by their experiences using time-consuming testing tools that can’t match the pace of DevOps cultures. Tools that don’t integrate into the SDLC disrupt DevSecOps initiatives and development processes, rather than supporting them. By integrating and automating static application security testing (SAST) as part of their DevSecOps initiatives, teams can address these common challenges related to developing secure applications in agile environments.

Some definitions

Like all new technology trends, DevSecOps has introduced new terminology. It can be difficult for security and engineering teams looking to modernise their development environments to get past the industry jargon to figure out what they should do. So first, let’s define some of the terms used (and sometimes misused) to talk about DevSecOps.

  • DevOps, per Gartner, is “an IT culture focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach.”
  • DevSecOps is a methodology in which security integrates throughout DevOps workflows. It is largely transparent to developers, and preserves the teamwork, agility, and speed of DevOps and agile environments.
  • Continuous integration (CI) is a software engineering practice where members of a team integrate their work with increasing frequency. In keeping with CI practice, teams strive to integrate at least daily and perhaps multiple times per day, toward the aspirational term in which it’s couched: continuously.
  • Continuous delivery (CD) is to packaging and deployment what CI is to build and test. Software is built, configured, and packaged and its deployment orchestrated in such a way that it can be released to production in a software-defined manner (low cost, high automation) at any time. CD also stands for continuous deployment, a practice that extends continuous delivery, with software updates automatically deployed to production environments multiple times per day.

Test automation solutions in CI/CD

Software development teams use CI/CD to accelerate software delivery. By integrating and automating security solutions early in the CI/CD pipeline, teams can scan every build for security weaknesses and vulnerabilities without affecting velocity. This DevSecOps practice stands in sharp contrast to traditional software security methods, where dynamic application security testing (DAST) is done late in the SDLC.

As the agility, speed, and complexity of development increase, security practices must adapt; traditional software security methods cannot keep up with development in a DevOps environment. This reality has driven the need for increased levels of test automation solutions that can integrate with multiple points in the SDLC. Automated testing conducted early in the SDLC can deliver many benefits, including:

Accelerated software delivery resulting from shortened test cycle times. Some SAST solutions give developers the option of scanning smaller sections of code more frequently, rather than spending hours to days scanning entire applications. According to Gartner’s 2017 Structuring Application Security Practices and Tools to Support DevOps and DevSecOps report, “Ideally, IDE tooling would advise the developer how to create secure code to utilize secure functions of the given language or framework, like how IDEs suggest functions and variables as a developer codes. Application security testing tools fit the bill here and are not limited to just verification activities. When integrated properly, AST tooling, especially SAST, can provide immediate feedback to development teams as they build applications.”

Reduced remediation costs. Automated testing tools help developers identify software defects early in the SDLC, when they are easiest to find and the least expensive to fix.

Consistent enforcement of security standards. Automated static analysis integrated into CI/CD pipelines gives organisations the ability to define and enforce consistent security guidelines. When static analysis is integrated into the CI/CD pipeline early in the SDLC, application security testing is no longer a slow, expensive burden but an essential enabler of DevSecOps. According to Gartner’s 2017 Integrating Security into the DevSecOps Toolchain report, “for scanning of custom code, traditional static and dynamic application security tools (SAST and DAST) can be applied along with SCA to help understand your project’s dependencies on underlying open-source code (e.g., Struts).”

Conclusion

DevSecOps, while undoubtedly a complicated process for a lot of businesses to undertake, is becoming increasingly popular. Moving towards this model allows a business to gain full control of its security from the genesis of a product to the shop floor – and can help them to avoid some of the third-party and supply chain errors that have littered the software industry in recent years.

Meera Rao, senior principal consultant, Synopsys
Image Credit: Profit_Image / Shutterstock