DevSecOps – Best Practices
Organizations who have combined development and operations (i.e. implemented DevOps) have been able to deploy the applications at a faster rate. With the increasing concerns for security, they are now looking for security solutions to integrate security in their development and operations processes. DevSecOps, integration of DevOps and security, is steadily getting popular along with slowly changing the traditional notions of how, when, what, why, and where security controls should be implemented in a development cycle. This is also bringing a positive shift from considering security as an after-development activity or ignoring it altogether. Previously, we have discussed the basics of DevSecOps and you can read them here. In this article, we will be discussing 6 best practices for the organizations looking to implement DevSecOps in their development environment.
Figure 1: DevSecOps Best Practices
1. Top Management Support
Just like most of the security-related activities, DevSecOps requires a firm commitment from the top management of a business so that appropriate time, resources, and money can be allocated in the cultivation of security principles in every action taken by your team. As a starting point, every individual should be aware of the catastrophic effects of an information security incident or a data breach. Even if an application has been developed under the constant pressure of delivering it at the earliest, the top management support will enable you in addressing the security issues in your application by buying you some extra time.
2. Security Awareness Starts at Day 1
Every member of the development and operations team should be familiar with secure coding principles and common exploit vectors so that chances of security loopholes in an application’s source code are minimized. As a matter of general practice, you should give this responsibility to senior developers in your team to ensure that all junior developers are properly trained. In addition, training should be conducted multiple times in a year, given your team’s workload and complexity of applications being developed.
3. Clear & Minimal but Effective Security Processes
When it comes to documenting security processes, extra care must be taken to ensure that they are concise and minimal. Many times, organizations extensively document their security processes and end up creating contradictory documents for the same security process. Unnecessary documents will do more harm than good as they will become obstacles in the implementation of DevSecOps principles. As a minimum requirement, you must have an information security plan, data incident response plan (DIRP), and other documents required by your local laws or regulations. You should closely work with your development as well as the security team to work out the minimum security standards for encryption, passwords, authentication, ciphers, etc.
4. Keep it Simple!
When you are planning to expedite the overall development process by integrating development, operations, and security, complexity becomes an enemy thereby reducing operational efficiency, predictability, and reliability. For example, there is no use of having five different databases when their work can be done by an individual database effectively.
5. Test Everything
When it comes to the development of applications and software, a business cannot take a leap of faith in the context of security issues. Throughout the development process as well after the development is completed, you should conduct regular code reviews and penetration testing. (Read Penetration Testing at DevSecOps Speed)
Moreover, at times, you can also hire an external service provider to test your applications. Dynamic application security testing (DAST), Static application security testing (SAST), and penetration testing are some of the ways to improvise security in DevSecOps.
In DevOps or a CI/CD environment, the speed at which the code is developed trumps every other aspect. With new versions of code being pushed at a rapid speed, security controls are incorporated in the development process at the initial stages in DevSecOps. Hence, it is only reasonable to automate security testing so that your development process does not slow down.
However, when you are automating security testing, you should give proper thought to what you are actually automating. You can utilize automated SAST & DAST tools so that your code, as well as the application, get scanned in regular intervals of time, for example, every night. In the end, automated security tests enable your team to prioritize the issues and dedicate more time on manual testing.
Every business is prone to cyber attacks – irrespective of its size or the market share. The consequences of a data breach are multi-fold – financial losses, reputational loss, regulatory proceedings, and fines, etc. Being in this industry, it is our responsibility to advocate for DevSecOps and ensure that when an application is deployed in the market, it has been tested rigorously and best possible security controls have been implemented. Although DevSecOps is still a new term and many tools are emerging, there is little or no consensus over its definition. At the same time, it is now an evident fact that even in a CI/CD environment, application security cannot be ignored. And considering the steadily growing popularity of DevSecOps, we are bound to see its global adoption in the next few years.