Set DevSecOps in Motion with Minimal Commotion
DevOps professionals continue to believe they can’t do their jobs properly because security slows down operations. Security pros, meanwhile, have largely failed to integrate security measures into DevOps initiative, resulting in unproductive friction.
I share the view that bridges the two sides by having information security professionals become actively involved in DevOps initiatives while remaining true to the spirit of DevOps, or as the it’s called, DevSecOps. Information security pros need to buy into DevOps’ philosophy of teamwork, coordination, agility and shared responsibility. Not doing so will only further widen the current divide between DevOps and security.
DevSecOps should be a shared company objective where security checks and controls are applied automatically and transparently throughout the development and delivery of IT-enabled services in rapid-development DevOps environments.
Simply layering on standard security tools and processes won't work. Secure service delivery starts in development, and the most effective DevSecOps programs will start at the earliest points in the development process and follow the workload throughout its lifecycle.
Four DevSecOps Practices You Need to Set in Motion
To get 2017 off to a secure and harmonious start, here are four practices that should be your first steps toward making DevSecOps a natural component of development and operations. Taking these steps -- essentially the automation of security controls -- will manage risk while not impeding DevOps agility.
1. “Shift left” security
DevOps talk a lot about “shifting left”, meaning that much of the responsibility for the final deliverable is now in the hands of developers. This applies to security as well, and developers should be educated about, tasked with, and motivated to adopt secure coding practices and take ownership of applying security best practices. This eliminates the conflict that might emerge later in the delivery process, when security policies aren’t met and it’s too late to do anything but block the delivery.
2. OSS software module identification, configuration and vulnerability scanning
Developers (knowingly or unknowingly) download vulnerable OSS components and frameworks for use in their applications. Proper DevOps security means scanning all applications, system images, virtual machines and containers in development for unknown, embedded or vulnerable OSS components in the operating system, application platform and in the application itself.
3. Custom code scanning
Train developers to adopt a lightweight "spell checker" type scanning tool for quick checks of security within their integrated development environment as they create code. Automated scanning and security test software should be part of the continuous integration test toolchain. Don’t force developers to leave their native environment and toolchains.
4. Automating security controls
Information security architects need to automatically incorporate security controls without manual configuration in a way that is as transparent as possible to DevOps teams and doesn't impede agility. In the meantime, they also have to fulfill legal and regulatory compliance requirements and manage risk. This can happen by requiring security and management vendors, to fully API-enable their platform services and expose 100% of functionality via APIs. Vendors should also provide support for DevOps toolchain environments such as Chef, Puppet and other automation tools.
Sticking to the original DevOps philosophy, is imperative for the success of DevSecOps. Effective DevSecOps promotes teamwork, transparency and improvement through continual learning.