The way to DevSecOps

 

Combining security and DevOps-how it works in practice The way to DevSecOps

Security must be closely integrated with DevOps processes and taken into account right at the beginning of development. But how do you create this change that affects not so much technology as the organization and corporate culture? Consulting firms and market researchers make recommendations that can be developed into a process model.

Companies on the topic

DevSecOps is about changing the culture of the company, not just about new processes and tools.DevSecOps is about changing the culture of the company, not just about new processes and tools.

(© Igor – stock.adobe.com)

The focus is on the corporate culture

Who sees DevSecOps too technically, can not reach his goal. Although tools and technical procedures are needed, they do not make the essential difference to classic process models in software development.

Consultants often hear a sentence about DevSecOps that shows how much it is about organization and corporate culture: when mistakes are shared and not hidden, it can inspire learning throughout the company and lead to future improvements.

DevSecOps is about changing the culture of the company, not just new procedures and tools to optimize transparency, collaboration and agility, while security enters every stage of development.

Learn from DevOps for DevSecOps

Those who have already introduced DevOps can use this experience to expand DevOps into DevSecOps, as demonstrated by recommendations from Gartner market researchers:

  • First, there needs to be a business decision as to why DevSecOps needs to be introduced. The increasing cyber risks and the possible high damage in successful attacks offer arguments as well as the compliance requirements for security by design.
  • Then we need to develop a common understanding of DevSecOps so that everyone in the company knows what this means and what it should bring.
  • You should always start with the development of an application and not try to apply DevSecOps in full width.
  • For this first application, there must then be an overarching team of development, operation and security, with clear goals that should be measurable.
  • Then it is finally about the procedures and tools (toolchain). The implementation includes an integrated toolchain that provides an approach for evaluating and selecting tools so that each tool in the application lifecycle can be paired with the adjacent tool. By linking all automation touchpoints and information flows, the development of releases is accelerated by the toolchain, while at the same time reducing errors, rework and failures.

What the automation of security is all about

The DevSecOps building blocks “Communication” and “cooperation” seem to run counter to the third building block “automation”: because when people exchange ideas, this can be seen as a continuous process, but automatically this is only possible at the tool level, not with us humans.

In fact, automation also means that we delegate tasks to technology. In the case of security, security measures should therefore be delegated and automated. This saves time and effort for tasks that require human Expertise. Especially in the area of software tests, many tools are available that hold automatic functions. This has to be integrated into the development process.

eBook ” DevOps and Security“

DevOps and SecurityThe number of companies using DevOps processes continues to rise sharply. At the same time, studies by security providers show that there is a security challenge at DevOps.(PDF / ET 17.04.2020)

Download eBook »

How to move security to the right place

If you take a closer look at the development process, it becomes clear where the security needs to start and where something can be automated. The usual, continuous process in development should be:

  • Creation of new modules, functions and updates
  • Monitoring and control of code and compliance with security requirements
  • Set of updated and tested code to the Central Repository

However, security must be taken into account right at the beginning. Security standards must therefore become part of the development standards. Security is therefore a requirement for development, like all other quality criteria.

Deviations from the requirements and thus also from the security must go through a feedback loop directly and continuously to the developers. This also includes error messages that are generated during automated security tests and which should not only go to security, but to all participants in the team. Everyone in the  Dedicated Team will work on the solution, security together with the development and operation.

So it’s about integrating automated security checks into the development process in order to resolve the security risks right at the source. Code reviews must also be carried out continuously and not only when submitting a fully developed module.

The practice also shows that it can make sense to award rewards for the detection of errors, to establish an internal bug bounty program within the team. The discovered errors should be rewarded and not the discovered errors punished. The corporate culture must be fault-tolerant in order for agility to spread.

This article was originally published in our eBook “DevOps and Securiy”. This current developments, or the differences between DevSecOps, SecDevOps, and DevOpsSec lights.

Additional information on the topic

Tips from Gartner for the success of DevSecOps

Source: “12 Things to Get Right for Successful DevSecOps”, Gartner

Adapt your security testing tools and processes to the developers, not the other way around.

Stop trying to eliminate all security vulnerabilities during development.

First, focus on detecting and removing known open source vulnerabilities.

Train all developers in the basics of secure coding, but don’t expect them to become security experts.

Implement a simple tool to collect security requirements.

Implement strong version control for all codes and components.

eBook ” DevOps and Security“

DevOps and SecurityThe number of companies using DevOps processes continues to rise sharply. At the same time, studies by security providers show that there is a security challenge at DevOps.(PDF / ET 17.04.2020)

Download eBook »

(ID:47006309)

About the author

Dipl.- Phys. Oliver Schonschek

IT journalist, news analyst and commentator at Insider Research

Other articles by the author

Data privacy is a high good, which is ideally already considered when designing a software or a service.

In the podcast Oliver Schonschek from Insider Research and Martin Otten from OutSystems talk about the modernization of legacy systems and applications.

In an interview with Oliver Schonschek from Insider Research, Tino Fliege explains how to integrate Citizen Developer into the developer team.

Additional content

With an increasing number of containers to be managed, an orchestration solution must also be created under Docker.

 

In our eBook

 

Ready to see us in action:

More To Explore

IWanta.tech
Logo
Enable registration in settings - general
Have any project in mind?

Contact us:

small_c_popup.png