What You Need to Know About DevSecOps

| August 2, 2018 | 0 Comments

DevSecOps

Traditional security processes are often perceived as roadblocks to producing high-quality software faster. Information security, however, is vitally important, especially in highly regulated industries, and even more so in an era where the threat landscape is mounting every day.

Organizations in 2018 no longer have a choice. They must safeguard their software assets and releases while continuing to try and achieve the accelerated levels of quality and speed of delivery their customers demand.

Enter DevSecOps – the practice of shifting security left in the software delivery pipeline, minimizing vulnerabilities, and bringing security closer to IT and business objectives.

Are you new to the DevSecOps approach? Here are some of the essential terms, tools, and practices you need to know.

DevSecOps – An approach to increasing software security in which security practices that have traditionally occurred only at or near the end of the software delivery lifecycle are integrated into every part of the pipeline, from code commit to deployment monitoring.

Application security testing – Measures taken throughout the pipeline to prevent threats to an application without disrupting how code is written, built, tested, or deployed. These measures include static code reviews, dynamic code analysis, automated scanning, patching, and vulnerability analysis.

Chain of custody – The hierarchy of roles and permissions in the software lifecycle that ensure control over and visibility into every software component of the delivery pipeline.

Code analysis tools – Tools for performing automated scan coding to verify code for compliance with rules predefined by the organization and industry best practices. These tools assist in quality code structure and conformance to organizational standards.

Dynamic application security testing – Tools to detect conditions indicative of a security vulnerability within an application in its running state.

Listen: DevSecOps – The Missing Link

Identity and access management – Tools to control individual identities – their authentication, authorization, roles, and privileges – within or across system and enterprise boundaries.

Log management – The automated logging of all events that occur within the software delivery lifecycle and in the Production environment. The logs collate and process potential security events to identify, alert, and escalate those that need to be reviewed.

Runtime application security – Software built into the application runtime environment to detect and prevent real-time attacks. These applications bridge the gap between application security testing and network perimeter controls.

Security as code – A tenet of DevOps where security practices are codified and automated and enforced as a part of the delivery pipeline. This approach allows the security practices, such as policies and tests, to be stored in code repositories and applied throughout the pipeline.

Software configuration management (SCM) – Tools for tracking and controlling changes in the software lifecycle, including configuration identification, build management, identification of items and baselines, and reporting changes for remediation. SCM tools are extremely useful for identifying unauthorized changes that can lead to unauthorized or nefarious actions.

Static application security testing (SAST) – A set of technologies that analyze source code and binaries for coding that is indicative of security vulnerabilities.

Test automation – The embedding of security testing and controls throughout the delivery pipeline to create standard and repeatable processes for ensuring security standards.

Threat modeling – A practice of identifying, communicating, and understanding threats and mitigations within the context of protecting something of value. As part of software development, a threat model illustrates the components that make an application work, identifies potential risks, and determines courses of action. Threat modeling is often described as “Security by Design.”

Transport layer security – A protocol that provides privacy and data integrity between two communicating apps.

Unit security testing – Security vulnerability scans integrated into the development and testing phases of the software development lifecycle (SDLC). Good practices embed these scans into the SDLC process, so they cannot be circumvented.

Web application firewalls – A firewall for HTTP applications.

How XebiaLabs helps

Bringing Security and Risk Management teams to the software delivery table can be challenging and can hinder speed. But ignoring the security side of software releases and deployments often leads to poor results and poor business alignment, causing organizations to lose everything from customer trust to intellectual property.

An Application Release Automation solution can enable enterprise IT teams to “left-shift” security and risk mitigation processes, so they start earlier in the pipeline, where it’s cheaper and easier to identify and fix vulnerabilities without compromising delivery speed and software quality.

For more information on tooling, the recently released version 3 of The Periodic Table of DevOps Tools, our free, industry-recognized DevOps landscape tool, contains 10 tools dedicated to software security. Check out the Periodic Table to learn more about the various tools available for identifying and remedying software security vulnerabilities, including tools by Snort, CyberArc, TripWire, and more.

Related Resources:


Rob Stroud

About the Author ()

We are deeply saddened by the tragic loss of our good friend and colleague, @RobertEStroud. Our thoughts and condolences are with his wife, Connie, and his entire family. Rob—you were not only an inspiration for our industry, you made us laugh and smile each day.