Steps You Should Be Automating in the SDLC - Part 4
November 08, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on what steps in the SDLC should be automated. Part 4 is all about security.

Start with Steps You Should Be Automating in the SDLC - Part 1

Start with Steps You Should Be Automating in the SDLC - Part 2

Start with Steps You Should Be Automating in the SDLC - Part 3

SECURITY

It's absolutely critical that security is automated across development processes. Developers tend to believe that security slows down development, but it's entirely possible for developers to run fast and securely. Manually monitoring and managing secrets — like account credentials, SSH and API keys, and passwords — is near impossible and highly prone to human error. Automating secrets management processes should be built into development processes early on. Only then will organizations be able to securely manage secrets used across human and non-human identities and still achieve superior DevOps agility and velocity.
Brian Kelly
Head of Conjur Engineering, CyberArk

Security is often an afterthought of the development process, and the "bolt-on" approach to security rarely works. Instead, security should be embedded into the development process to make it easier to automate in production. Service mesh tools make this easier by decoupling applications from their dependencies while automating certificate distribution and access enforcement between services.
Mitchell Hashimoto
Co-Founder and CTO, HashiCorp

SECURITY TESTING

In today's DevOps-centric organizations, we should automatically test every code change with Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA). 77 percent of apps have at least one vulnerability on initial scan. Automated security testing allows development teams to find and fix flaws early in the software development lifecycle, which saves significant time for both developers and security personnel. These tools ensure that the applications being built are secured at the speed of DevOps.
Mark Curphey
VP of Strategy, CA Veracode

Automating security testing in the software development lifecycle is critical for success, especially for web applications and REST APIs, which are frequently targeted by cyber-criminals. Internet-facing web applications, in particular, are a frequent source of data breaches according to studies because they are publicly accessible with a large attack surface. Manual security testing is effective, but costly, time-consuming, and doesn't scale. Web applications can be complex and expansive. Automating security scanning in DevOps and CI/CD processes saves both labor and time costs while helping to ensure that your applications are protected from outside attacks.
Dave Ferguson
Director of Product Management for Web Application Scanning, Qualys

Development teams already know that they should be automating everything about their coding, testing, delivery, and deployment pipeline. They also know that they need to automate security testing, but have struggled with traditional tools like dynamic scanners and static analysis, which require experts to use and slow down pipelines dramatically. Development can't wait for security, coders need to know immediately if a new custom code vulnerability has been introduced or if they're using a library with a known vulnerability. Developers should adopt a relatively new approach called "Interactive Application Security Testing" or IAST that was built for the ground up for DevOps and automated software pipelines. Instead of running a scan, IAST relies on software instrumentation to verify code security from inside the application itself.
Jeff Williams
Co-Founder and CTO, Contrast Security

VULNERABILITY SCANNING

The one thing enterprises must automate is vulnerability scanning because each year the number of cyberattacks increases 3-fold, and the cost for an individual incident can go into the millions of dollars. Companies that report breaches have also been shown to underperform the market as well, and at the same time, enterprises are pushing hard to accelerate software development to increase their service offerings and differentiate from the competition, which on the surface seems at odds with creating more secure software. Given that 90 to 95% of breaches happen through the exploitation of known vulnerabilities, developing a process to "shift security left" and automate scanning with DevSecOps methodologies can help ensure that only code that is free of these vulnerabilities goes into production. At the same time, automating this process helps developers work faster because they can get near-immediate feedback without waiting for other individuals to get involved. If you automate vulnerability scanning, you can get to a world with fewer breaches and faster development at the same time - and that sounds a lot like nirvana.
Apurva Davé
CMO, Sysdig

SECURITY AND COMPLIANCE

Infrastructure security and compliance have traditionally been a function at odds with speed and agility — and are often overlooked when it comes to automation. By automating infrastructure security and compliance upfront with policy-as-code validation, DevOps teams can eliminate time-consuming manual approval processes and ensure that infrastructure is safe and complies with internal and regulatory policies.
Josh Stella
CEO, Fugue

Security and compliance automation is the most important part of the software development life cycle. The ability to assess software code and determine the vulnerability by providing a security rating is critical in preventing catastrophic attacks. Automated workflows that provide actionable intelligence and remediate threats is of vital importance to any DevOps model. Regulations can be enforced and validated with automated staging environments that can test the software during each phase of development.
Dos Dosanjh
Director, Technical Marketing, Quali

PATCHES

The problem of "long tail" security vulnerabilities continues to be a serious problem. The root cause being that when a component or library is stored as a "golden image" in a binary repository, that decision isn't reassessed as new patches become available. When approving a new component or version, implementing an automated monitoring model to identify when patches become available and the age of the component helps to re-risk long tail security vulnerabilities.
Tim Mackey
Technology Evangelist, Synopsys

SECURITY REPORTING

The age of PDF security reports is over. Developers should automate the process of getting security vulnerabilities to the people that need them, through the tools they already use. So instead of reading a 500 page PDF file, the developer gets an alert through Slack, JIRA, their IDE, Jenkins, etc.
Jeff Williams
Co-Founder and CTO, Contrast Security

Read Steps You Should Be Automating in the SDLC - Part 5, the final installment, covering deployment and production.

Share this

Industry News

December 10, 2019

Redgate Software launched its fourth annual State of Database DevOps Survey.

December 10, 2019

Compuware has signed a definitive agreement to acquire the assets of INNOVATION Data Processing, a provider of enterprise data protection, business continuance and storage resource management solutions serving the mainframe market.

December 10, 2019

Dynatrace announced its Autonomous Cloud Enablement (ACE) Practice to accelerate DevOps’ movement to autonomous cloud operations.

December 09, 2019

NS1, announced the expansion of its suite of integrations to include Kubernetes, Consul, Avi Networks (VMWare NSX), NGINX, and HAProxy.

December 09, 2019

CloudBees announced an extension of its partnership with Google. As a Google Cloud Run launch partner, CloudBees will offer developers more flexibility in their deployment of containerized applications.

December 09, 2019

EPAM Systems has expanded its crowdtesting software solutions to enable user story testing.

December 05, 2019

Parasoft announced the newest release of Parasoft C/C++test, the unified C and C++ development testing solution for enterprise and embedded applications.

December 05, 2019

Datadog announced Security Monitoring, a new product that enables real-time threat detection across the entire stack and deeper collaboration between security, developers, and operations teams.

December 05, 2019

Pulumi announced the availability of Pulumi Crosswalk for Kubernetes, an open source collection of frameworks, tools and user guides that help developers and operators work better together delivering production workloads using Kubernetes.

December 04, 2019

CloudBees announced a Preview Program for CloudBees CI/CD powered by Jenkins X, a Software as a Service (SaaS) continuous integration and continuous delivery solution running on Google Cloud Platform.

December 04, 2019

Rancher Labs announced the general availability of K3s, their lightweight, certified Kubernetes distribution purpose built for small footprint workloads, along with the beta release of Rio, their new application deployment engine for Kubernetes that delivers a fully integrated deployment experience from operations to pipeline.

December 04, 2019

WhiteSource announced a new integration with Codefresh, the Kubernetes-native CI/CD solution.

December 03, 2019

Styra is addressing one of the most significant enterprise blockers of Kubernetes: compliance. With Styra, enterprises can move Kubernetes clusters into production en masse while complying with traditional governance, audit, and compliance rules and regulations.

December 03, 2019

Nureva added 13 agile-themed templates to Span Workspace, Nureva’s expansive cloud-based digital canvas for visual planning and team collaboration.

December 03, 2019

Threat Stack announced support for AWS Fargate in the Threat Stack Cloud Security Platform.

Steps You Should Be Automating in the SDLC - Part 4 | DEVOPSdigest

Error

The website encountered an unexpected error. Please try again later.