As we mentioned in a previous blog post, security can no longer be considered as a stand-alone responsibility, entrusted to a specific team, even ultra-specialized, at the end of the design process. In fact, security has become a shared responsibility and is integrated end-to-end throughout the entire development cycle. Hence the concept of DevSecOps: designed to integrate application and infrastructure security early in the process and to automate the workflow between the different stakeholders as much as possible. It is clear that the agility that is necessary for the digital transformation of a company requires a closer collaboration between specialists in networks, security, infrastructure, storage and development, far away from the silos that are still all too present at a lot of organizations.
Security first
In a DevSecOps
approach, the security team is responsible for testing the product before it
goes into production. Any flaws that are found, are fed back to the development
team, allowing it to take a closer look and solve the problems. In this
scenario, security specialists are often perceived as ‘troublemakers’ and as a
cost center, as they may delay the deployment of a product. Because security is
an extremely complex matter, security experts tend to be only in contact with
each other. They often are reluctant to communicate outside of their department,
as they feel the inevitable mistrust that is surrounding the security team.
Because after all, their tools are extremely sophisticated and thus
inaccessible to other IT profiles. In other words, it comes as no surprise that
'Sec' often follows behind 'Dev' and comes before 'Ops'.
Sure, the rise of technologies and concepts such as cloud, containers and micro-services, as well as agile development and mixed teams with business and IT profiles, should pave the way towards truly integrated DevSecOps. But the reality is often quite different.
In fact, security checks, guidelines, coding standards and policies need to be fully integrated into the software development process. To achieve this goal, security needs to be considered as an integral part of the process: 'Sec' comes first, then 'Dev’, then 'Ops'. That approach allows the security team – if necessary in collaboration with an architect or senior developer – to define the policies at the very beginning of the project. These policies may include secure coding standards, rules to avoid unsafe encryption and APIs, instructions for the use of static or dynamic analysis, testing guidelines, and so on. The goal is to make sure that developers produce secure code for their everyday tasks and to automate operations as much as possible.
From theory to practice
It seems inevitable that this
type of security – designed from the onset – puts additional constraints on
developers. But the integrated and incremental SecDevOps approach allows for
tracking vulnerabilities more effectively, compared to the traditional security
audit at the end of the development process.
Of course, security is often still seen as an add-on or a simple control process before going live with an application. And yes, sometimes it is difficult to correct errors while the product is still under development. But it is important to see security as a step in the developer's daily workflow. It must be integrated into the software development process.
To successfully complete a SecDevOps approach, three elements have to be combined. First of all, the processes. It is important to formalize the development and deployment processes within a framework of strictly defined responsibilities. Secondly, the tools. They must be shared by all stakeholders and be part of a continuous integration platform. And finally, the people. Development, security and production teams must share common goals. Do not neglect the cultural differences between the IT profiles of the teams and make sure that the general management backs the project and ensures regular monitoring, ideally based on specific metrics.
Aprico helps companies innovate and rethink their business processes by putting security at the center of their strategic thinking. We share best practices, technologies and organizational models that allow organizations to open up to the outside world and share information securely. More information: marketing@aprico-consult.com