More security in application development How important the DevSecOps culture is for companies
The use of containers and open source offers many advantages for developers – but also some security challenges. This guest article explains how security can be more integrated into the development process through a DevSecOps approach.
Companies on the topic
DevOps is a good start, but it is only through integrated security that the security department can keep pace with development.
(© spainter_vfx – stock.adobe.com)
The concept of DevOps has been around for over ten years. The original goal of this approach was to improve collaboration between developer and operations teams. The automation of processes played a decisive role in this, both in the development as well as in the testing and use of applications.
Initially, the respective teams worked out some standard procedures together. This led to the DevOps approach, which increasingly influenced the entire development process. At that time, the issue of security played a role, but was not yet a priority.
DevOps was not the only change that decisively influenced outstaffing software development and application. The increasing migration of applications to the cloud, containerization and the growth of open source also played a decisive role.
These aspects drive digital transformation decisively and enable companies to achieve results faster and remain competitive. However, this has also made some things more complex – and it is becoming increasingly difficult to make digital solutions truly secure.
As developers have to deliver results faster and faster, it is becoming more and more difficult for security teams to keep up. This, in turn, can sometimes significantly delay the development process. And that’s why security should be considered an integral part of DevOps. Thus, DevOps is increasingly transforming into a DevSecOps culture.
Security in the Cloud Era: The challenges of containerization and Open Source
What are the specific security challenges that companies face in the age of cloud, containerization and open source? And how can a DevSecOps approach support this?
Let’s start with the example of containers: While goods have long been transported in containers around the world, software containers are still quite new. In addition to the software, these containers contain a complete file system with everything necessary for the software to run: source code, system libraries, system tools and a runtime environment. This makes the application work independently of the environment.
The use of containers also enables faster application development and automated workflows, allowing development teams to deploy their code very quickly in production environments. This very fast and agile development opens up many new possibilities, for example also for startups-but also carries new risks with regard to vulnerabilities.
Containers usually contain open source applications: these components are predominantly Linux-based and are used to run applications created with open source programming languages and frameworks. Linux can be quite vulnerable: about 50 times more vulnerabilities are reported here than in open source language frameworks.
In addition, developers are usually not operating system maintainers-and do not want to be. Your goal is to bring the software to market safely and quickly. But fortunately, the Linux and container communities usually react quickly to vulnerabilities. With the right tools, developers can quickly fix vulnerabilities in their containers without getting involved in Linux distributions or rolling out reports about Linux vulnerabilities.
Modern tools, such as those we offer with” Snyk Container “and” Snyk Open Source”, can be integrated into a comprehensive DevSecOps approach. In this way, developer and IT security teams can make the most of the advantages of containerization and open source while reducing the risk.
Employees, processes, technology: The three success factors of DevSecOps
Technology, employees and processes are the three success factors for DevSecOps. The DevSecOps principles are based on these three pillars and thus enable a comprehensive cooperation of all relevant stakeholders.
1. Strengthen cooperation between teams
A modern safety culture must work for and not against the employees – only then can it be successful. If a company wants to adopt a DevSecOps approach, the security teams should first be integrated more comprehensively into everyday business. Closer collaboration between developer, security, and operations teams enables faster feedback processes on code, software, and applications, including from a security perspective. And this, in turn, reduces the cost of subsequent corrections.
Until now, the responsibilities are often very limited: the developers are responsible for fast delivery of the product, security teams for the security of the application and operations teams for their stability. DevSecOps breaks down these silos and brings all three teams together with a common goal: the rapid deployment of secure and stable software.
2. New processes for a new DevSecOps culture
A successful DevSecOps culture is also based on smooth processes. This includes breaking down hierarchies and previous work processes that prevent joint responsibility for a project. It is also crucial to find the right Balance between automated and manual Gating.
Conventional security strategies often set certain milestones for certain security tasks. If a satisfactory solution is not found, the process is not continued at first. In some companies, the operating team then implements similar gates before deploying the software.
However, this gating model involves lengthy feedback loops and delays the software delivery. However, the key to a DevSecOps approach is to provide faster feedback. Joint responsibility instead of a Gating model should therefore be the motto. Processes must be adapted accordingly.
A good start for such cooperation between the relevant teams is threat modeling. This will identify threats and vulnerabilities and introduce appropriate control mechanisms to minimize the risk. In general, it is particularly important to integrate positive application examples from the security and operation teams throughout the development process.
Silos not only have to be broken up within a company, but also looking beyond the company is important: open source is a good example of how difficult such broad cooperation can sometimes be. With open source solutions, developers and users cannot sit down together and discuss something.
While many employees currently have the new experience of working only digitally with colleagues at the time of Corona, this has long been a daily occurrence in the open source community. This is why, for example, users cannot simply ask an open source developer to fix a vulnerability. For this reason, companies must pay more attention to who, for example, has developed a code, whether it is safe and has been tested accordingly.
3. The use of the right technology is a crucial basis
Suitable technologies are also needed for the introduction of new processes. In DevSecOps solutions, many think first of automating deployment processes. But automation is not always the answer to everything. Companies should first examine their existing technology and automate it where it is necessary and possible – and if a solution is impractical or unnecessary, sort it out.
A technology platform should also be especially tailored to developers, such as Snyk’s platform. Platforms that focus on the needs and requirements of developers also integrate security across the entire development process. This gives developers, security and operations teams a comprehensive overview.
Establishing a new DevSecOps culture takes time. In the first step, companies should become aware of the importance of such an approach – and the advantages it offers, such as better security and faster development. And if vulnerabilities and errors are discovered as early as possible in the development process, this also saves costs and time. All this also brings greater confidence in the security and reliability of a software – and thus also advantages for the corresponding company, such as increases in sales.
* Daniel Berman is Product Marketing Director at Snyk.