Playing Offense in the Name of Application Security
August 11, 2020

Christian van den Branden

Digital transformation isn't just changing how businesses compete in the marketplace. It is changing how companies operate, especially with regards to security. Traditional models are being pushed aside to make way for more expansive thinking — and that includes a cultural shift within the classic DevOps model.

As one of the core enablers of digital transformation, DevOps integrates digital technology into all aspects of business process, culture and customer experience. It is a philosophical approach to software delivery that empowers collaborative development, team autonomy while speeding time to market. DevOps encourages innovation, promotes a competitive edge and reduces cost without sacrificing velocity or quality. It is a set of practices that can help you optimize an organization's method for developing software through each step of its lifecycle. This sounds great, but it is not always easy to achieve.

Making the Right Moves

To ensure that security is successfully integrated into the DevOps model — and risk is properly addressed — you will need to do more than just embrace the concept of DevOps. You will need to assume an offensive position. And no, this isn't just another sports analogy. Thinking proactively is key to empowering business teams and improving application development. Because when you assume an offensive stance in software development and vulnerability management, you immediately gain more control over the triad of security, risk and compliance.

The time is now to play offense in security. Part of this challenge is uncovering what this really means and how it can be achieved. Effective management of security, risk and compliance in DevOps, as well as the various teams involved, cannot come at the expense of control, consistency and accountability. While these are not the first words that spring to mind when considering DevOps models, they offer some important guidelines on how to approach security with a clear, offensive strategy.


As DevOps continues to evolve as an alternative to traditional waterfall and a natural extension of agile development, there is a risk that security be left behind. To give yourself more control over security and risk management, it is important to make a proactive shift into DevSecOps. This security-enhanced mindset supports the notion of integrated security from the start, a continuous cycle much like an infinity loop, with each phase flowing into the next. Without a closed-loop process, risk managers have no way to validate remediation. Proactively incorporating security earlier in the process creates shorter feedback loops and eases complexity, enabling engineers to find and fix issues more readily.

But we all know, building perfectly secure applications isn't possible. That is why leaders must balance the need for speed and security by embracing the iterative nature of Agile, where progress can be made incrementally over time. Although this may not feel like control, this type of collaborative workflow preserves the teamwork, agility and speed of DevOps while allowing security to integrate at multiple points in the software development lifecycle (SDLC). And the earlier security is introduced into the SDLC, with scanning tools in place at every phase, the more control you have over your application security and vulnerability management program. Without an offensive plan, security will only get harder.

To achieve this without hampering the velocity of teams, it important for your toolchain to give you the ability to centrally define and manage security policies, but enable teams to apply them programmatically within their pipeline.


Developers often rely on basic security tools to build applications, but there are no consistent DevOps processes for security testing, and point security tools often fall short of expectations. This means applications may well be deployed into production with critical vulnerabilities — at which point, they are much harder to find and even more expensive to fix. To achieve consistent testing, there is a need to incorporate multiple application security tools and orchestrate their execution within the development process. This will help companies build and deliver applications that are more secure from the outset and support them in effectively meeting business, customer and governance demands.

Consistency in DevOps is also about driving quality standards. To push out top-notch software, as quickly and affordably as possible, you need comprehensive, continuous and accurate visibility into where risk lies — and how it might impact the business. This comes from testing, early and often. Automating your testing to run continuously in deployment, instead of performing manual operations, allows teams to utilize static and dynamic analysis (SAST and DAST), as well as software composition analysis (SCA) for control over open source components, to gain better visibility. Orchestrating these testing processes within a continuous integration and delivery (CI/CD) pipeline is the way to consistently enforce an application security program without impacting the autonomy or velocity of the teams.


DevOps isn't all about playing nicely with others. It demands real accountability, especially when things go wrong. Who is ultimately responsible for security in such a model? And how does this accountability question affect the delivery of reliable software? In keeping with the DevOps mentality, both delivery teams and security practitioners play a role in keeping software secure. But when everyone is accountable, sometimes no one is accountable — especially as the size of a company grows.

Without the right tools and processes in place to support the DevOps journey, chaos ensues. This is where proactive, offensive action comes in. Teams cannot gain the visibility they need without the proper tooling and an efficient process in place to know who is responsible for addressing security issues. This is why organizations must begin to focus on adopting tools that optimize visibility into their applications. As more businesses transition into a DevOps mindset, the need for well-defined roles and processes will become increasingly valuable.

This level of accountability happens in the build functions themselves. By creating a loop of constant feedback, where software can be built, analyzed and tested by cross-functional teams — and with automation speeding up the entire delivery process — people can begin to rely on systems for better security. This level of tight integration among development, operations and product security is key to reaching your business goals because it ensures the delivery of a secure product. But many organizations say breaking down walls and building bridges of shared accountability in DevOps is a struggle, both to understand and to implement. The key is to operationalize this within the toolchain itself, leverage ChatOps for alerting, and use reporting capabilities for inspection and review.


All organizations are under pressure to deliver value faster. DevOps is transformational and allows organizations to achieve this goal. In the same vein as quality, application security is not optional. Compromising on security exposes a company to risk, of intellectual property, customer data and/or brand integrity.

The key to ensuring application security happens, without scaling back the velocity of the organization, is to be proactive and offensive. To do so, you will want to apply the mindset of DevOps to your application security program. By investing in the proper tooling, you gain the ability to centrally define security policies but enable teams across the organization to apply them programmatically through automation and orchestration, right within their delivery pipelines.

Using ChatOps for alerting and reporting capabilities to assess the overall risk posture allows organizations to meet their security requirements without impacting the velocity of their teams. It allows them to accelerate software delivery by speeding up the discovery and remediation of security vulnerabilities while offering customer value — quickly and securely.

Christian van den Branden is SVP Engineering at ZeroNorth
Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023 formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.