The way to DevSecOps

Security and DevOps clubs – so it goes in practice The way to DevSecOps

Security must be closely integrated with the DevOps processes and to take account of the beginning of the development. But how one creates this change, which affects less the technology rather than the organization and company culture? Consulting firms and market researchers provide recommendations to develop a process model.

Companies

In the case of DevSecOps is to changes in the culture of the company, not only on new methods and Tools.In the case of DevSecOps is to changes in the culture of the company, not only on new methods and Tools.

(© Igor – stock.adobe.com)

The focus of the company culture

Anyone who sees DevSecOps too technical, can reach its goal. Tools and techniques are needed, but they do not make significant difference to the classic process models in software development.

Of consultants, you will often hear a sentence to DevSecOps, which shows how much it comes to organization and corporate culture: If error is divided and will not be hidden, it can inspire Learning across the organization and lead to improvements in the future.

In the case of DevSecOps is to changes in the culture of the company, not only on new methods and Tools, in order to optimize the transparency, collaboration and agility, while the Security in each Phase of the development of the catchment.

From DevOps to DevSecOps learn

Anyone who has already adopted DevOps, you can use this experience to expand DevOps DevSecOps, such as, for example, recommendations from the market researchers at Gartner show:

  • First, there must be a Business decision, why DevSecOps is to be introduced. The rising cyber risks and the potential high damage on successful attacks present the same arguments as the Compliance requirements to Security-by-Design.
  • Then, it is important to develop a common understanding of DevSecOps, so that everyone in the company knows what this means and what it should bring.
  • You should always start with the development of an application and try not to DevSecOps is equal to the entire width of apply.
  • For this first application, there must be a cross-functional Team from development, operation, and Security, with clear objectives should be measurable.
  • Then it finally goes to the procedures and Tools (Toolchain). The implementation includes an integrated Toolchain that allows an approach to the evaluation and selection of Tools, so that every Tool in the application life cycle can be used with the adjacent Tool to be coupled. By linking all the automation Touchpoints and information flows, the development of Releases is accelerated by the Toolchain, and at the same time, errors, rework, and downtime reduced.

What’s the deal with the automation of the Security to be

The DevSecOps blocks “communication” and “collaboration” seem to be the third building block is “automation” to run contrary: Because if people exchange, this can be as a continuous process, but automatically this is only at the Tool level, not with us, people.

In fact, the automation also means that we have people to delegate tasks to the technology. In the case of Security, so Security should be delegated measures and automated. This saves time and effort for tasks that require human Expertise. Especially in the field of software testing many Tools available that hold automatic functions. This applies to integrate it into the development process.

eBook “DevOps and Security”

DevOps and SecurityThe number of companies using DevOps processes, that will continue to expand. At the same time, studies of Security providers, show that there is a Security challenge in DevOps.(PDF | ET 17.04.2020)

eBook download “

As the Security to the right place moved

You look at the development process, it becomes clear, where the Security must begin and where something can be automated. The usual, the continuous process of development should be:

  • Creation of new modules, features and Updates
  • Monitoring and control of the code and the compliance with Security requirements
  • Set of updated and tested code to the Central Repository

Security must be taken into account in the process, but the beginning. Security Standards must be part of the development standards. Security is, therefore, a requirement of the Development, like all other quality criteria.

Deviations from the requirements, including Security, need to go through a Feedback loop continuously and directly to the developers. This also includes error messages that are generated when the automated Security Tests, and should go not only to Security, but to all Involved in the Team. To resolve all the work in Team, Security, together with the development and operation.

There is therefore a need to integrate automated security testing into the development process to fix the Security risks at the source. Also Code Reviews must occur continuously, and not only in the case of submission of a completed module.

The practice also shows that it may make sense to give out rewards for the discovery of errors to establish internally in the Team, so an internal Bug-Bounty-program. The errors detected are to be rewarded and not, for example, the detected errors are punished. The corporate culture must be fault tolerant, so that agility can spread.

This article originally appeared in our eBook “DevOps and Security”. This current developments, or the differences between DevSecOps, SecDevOps, and DevOpsSec lights.

Complementary to the theme

Tips from Gartner for the success of DevSecOps

Source: “12 Things to Get Right for Successful DevSecOps”, Gartner

Customize your security testing Tools and processes to the developers, not Vice versa.

End the attempt to eliminate all security vulnerabilities during the development process.

You focus on the detection and Removal of well-known Open Source security vulnerabilities.

You have to train all the developers in the basics of secure coding, but you don’t expect them to be security experts.

You can implement a simple Tool to Collect safety requirements.

You implement a strong version control for all of the Codes and components.

eBook “DevOps and Security”

DevOps and SecurityThe number of companies using DevOps processes, that will continue to expand. At the same time, studies of Security providers, show that there is a Security challenge in DevOps.(PDF | ET 17.04.2020)

eBook download “

(ID:47006309)

About the author

Dipl.-Phys. Oliver Schonschek

IT professional journalist, News Analyst and Commentator for Insider Research

For more articles by this author Data Privacy is important, the is ideally considered already in the Design of a Software or Services. In the Podcast, Oliver Schonschek of Insider Research, and Martin Otten of OutSystems on the modernization of Legacy systems and applications to entertain yourself. In conversation with Oliver Schonschek of Insider Research is concerned Tino Fly explains how Citizen Developer to the developer Team.

Related Content With a growing number of Container under Docker an orchestration solution. In our eBook

Ready to see us in action:

More To Explore

IWanta.tech
Logo
Enable registration in settings - general
Have any project in mind?

Contact us:

small_c_popup.png