6 Best Practices for Successful DevSecOps Implementation
September 25, 2019

Sai Nikesh D
Veritis Group

DevSecOps has shown the IT industry an effective way to deal with security issues in DevOps lifecycle.

Unlike the traditional waterfall model that involved security at the end, the DevSecOps model calls for security integration right from the start and along the process chain till the end. This strategic shift in integrating security controls in the Software Development Lifecycle (SDLC) made a big difference to the industry in delivering rapid, yet secure code.

By doing so, DevSecOps addressed the most common concern that many firms had on DevOps journey i.e. faster code releases result in more vulnerabilities.

But successful security integration into DevOps pipelines through DevSecOps requires adoption of certain tools, resources and practices that can unite Dev, Ops and Security teams under the ambit of DevSecOps culture.

Here are 6 best practices for successful DevSecOps implementation:

1. Automation is key to securing CI/CD Pipeline

Speedy delivery is one of the key aspects of Continuous Integration (CI) and Continuous Deployment (CD) environment in DevOps. So, integrating security in this fast-paced environment requires automating security and embedding relevant controls and tests across the development lifecycle.

Automation has a very important role in achieving DevSecOps implementation, as evident in a 2018 survey that showed 4 percent of highly mature DevOps firms using automated security test cycles across the development cycle.

From doing source-code analysis to post-deployment monitoring, there are many tools and resources to help in security analysis and testing.

One needs to take extra care while automating security testing. If you have to do the Static Application Security Testing (SAST) for daily builds, then automated scans on entire source code every day consumes lot of time and keeps you away from daily deadlines.

Also, try to use automated Dynamic Application Security Testing (DAST) that can scan real-time vulnerabilities unlike SAST that checks only with-in-the code issues.

Adding automated security analysis to CI/CD pipelines stops the early entry of vulnerabilities and keeps the code secure through the development lifecycle.

2. Identify possible vulnerabilities and address code dependencies

Considering the possible vulnerabilities associated with open source usage, it's important to understand the open source usage for a successful DevSecOps strategy.

According to global surveys, a large number of companies continue to use open-source software in their apps despite the risks associated with usage of third-party software components. One of the 2017 surveys on around 1000 commercial applications found 96 percent of them having open-source components with more than 6 in 10 applications reporting security vulnerabilities. Despite this situation, only 27 percent of the organizations had automatic identification and solution tracking mechanism to tackle at least known vulnerabilities from open-source software.

Considering the developer time constraints to review code in open-source libraries or study the documentation, there should be dedicated automated processes for managing open-source and third-party software components. These processes help in early identification of possible open-source related vulnerabilities, thus reducing the impact on internal code dependencies. Thus, checking code dependency is crucial to DevSecOps implementation.

Utilities like Open Web Application Security Project (OWASP) can help you in scanning code and dependent open-source component libraries by working against the constantly-updated database of all vulnerabilities.

3. Let developers get accustomed to security checks in the workflow

Developers need to get accustomed to security checks as part of their normal workflow.

SAST tools are special to this case as they allow developers scan the code for any possible security checks while they write and give them instant feedback. This happens as part of developer usual workflow.

However, enabling multiple checks at a time for addressing a whole set of multiple security issues creates confusion among developers. So, it is recommended to turn on one or two security checks at a time and let developers realize the fact that security rules are also part of their process. Being aware of how security mechanism addresses errors in code builds developer confidence.

4. Choosing right tools is very important

Choosing right security tools is very important for the success of your DevSecOps process.

Security tools should be able to get integrated easily into the fast-moving CI/CD cycles and stand in a position to build gaps between development and security teams, rather than creating hurdles. They should ideally initiate scans and allow developers to focus on their core workflow, leaving the security aspect to them. They should be good in speed, and generate accurate and actionable results that shouldn't require a recheck either by developers or security teams, which is key to DevOps workflow.

Security tools should help developers identify and prioritize vulnerabilities while writing the code. Identification of vulnerabilities should be directly on the software itself and not on its signatures. Not just known vulnerabilities. Such tools should also be able to track unknown issues from anywhere such as open-source software components.

6. Implement threat modelling mechanism

It's important to implement threat modelling mechanism in the DevOps lifecycle as it helps developers view software in attacker perspective. Thus, developers will be extra careful in writing code and will be able to generate secure code.

Threat assessment also helps you identify possible vulnerabilities in your architecture and design, which might have been missed out by other security checks.

It also helps you understand the sensitivities of your internal assets and their vulnerability to possible threats.

Noteworthy is that threat modelling can often slow down the pace of your CI/CD pipeline and cannot be automated, but is a critical part of successful security integration.

6. Training on secure coding is critical

Experts believe that developers across many firms don't realize the fact that they are coding the insecure way.

Considering this fact, it's important to make a note of training developers on ways to deliver secure code. This happens to be one of the serious challenges to successful implementation of DevSecOps practices.

This might not have been a priority to developer teams until now, as they focus on coding. But achieving security in DevOps culture demands the requirement of making developers aware of security-related facts.

Firms need to take necessary measures and making needed investment on this area of training on secure coding for a succesful DevSecOps implementation.

Implementation of these six practices form key to the success of DevSecOps implementation and security challenge in a DevOps culture.

Sai Nikesh D is a Senior Strategy Content Writer at the Veritis Group
Share this

Industry News

November 21, 2019

PASS, the global community of data professionals, has become one of the first major users of a new solution from Redgate that automatically discovers and classifies sensitive data in SQL Server.

November 21, 2019

OutSystems has embedded AI and machine learning in its software to make building applications even easier and faster for everyone.

November 21, 2019

Fugue announced Fugue Developer, a free tier that puts engineers in command of cloud security through the entire software development lifecycle (SDLC).

November 20, 2019

JFrog announced the launch of JFrog Container Registry - powered by JFrog Artifactory - as an advanced Docker container registry.

November 20, 2019

CloudBees introduced a graphical user interface (GUI) for Jenkins X.

November 20, 2019

Portworx announced an update to Portworx Enterprise, its container-native storage platform, to enable companies to run, scale, backup, and recover mission-critical applications on Kubernetes: PX-Backup and PX-Autopilot for Capacity Management.

November 19, 2019

Parasoft announced complete support for the newly updated 2019 Common Weakness Enumeration (CWE) Top 25 and "On the Cusp" (an additional 15 weaknesses) for C, C++, Java, and .NET languages.

November 19, 2019

Red Hat announced the release of Red Hat CodeReady Workspaces 2, a cloud-native development workflow for developers.

November 19, 2019

Postman has introduced Postman Visualizer, a two-fold feature that offers benefits for both API consumers and API developers.

November 18, 2019

Hewlett Packard Enterprise (HPE) announced the HPE Container Platform, an enterprise-grade Kubernetes-based container platform designed for both cloud-native applications and monolithic applications with persistent storage.

November 18, 2019

Lacework announced its integration with Datadog, a monitoring and analytics platform.

November 18, 2019

Codefresh is introducing a live CI/CD debugging tool.

November 14, 2019

Raytheon Company is collaborating with Red Hat to develop a new, security-focused software development solution, known as DevSecOps, for enterprise environments.

November 14, 2019

Fugue has open sourced the Fugue Rego Toolkit (Fregot) to enhance the experience working with the Rego policy language.

November 14, 2019

Sysdig announced Sysdig Secure 3.0 to provide enterprises with threat prevention at runtime using Kubernetes-native Pod Security Policies (PSP).