Playing Offense in the Name of Application Security
August 11, 2020

Christian van den Branden

Digital transformation isn't just changing how businesses compete in the marketplace. It is changing how companies operate, especially with regards to security. Traditional models are being pushed aside to make way for more expansive thinking — and that includes a cultural shift within the classic DevOps model.

As one of the core enablers of digital transformation, DevOps integrates digital technology into all aspects of business process, culture and customer experience. It is a philosophical approach to software delivery that empowers collaborative development, team autonomy while speeding time to market. DevOps encourages innovation, promotes a competitive edge and reduces cost without sacrificing velocity or quality. It is a set of practices that can help you optimize an organization's method for developing software through each step of its lifecycle. This sounds great, but it is not always easy to achieve.

Making the Right Moves

To ensure that security is successfully integrated into the DevOps model — and risk is properly addressed — you will need to do more than just embrace the concept of DevOps. You will need to assume an offensive position. And no, this isn't just another sports analogy. Thinking proactively is key to empowering business teams and improving application development. Because when you assume an offensive stance in software development and vulnerability management, you immediately gain more control over the triad of security, risk and compliance.

The time is now to play offense in security. Part of this challenge is uncovering what this really means and how it can be achieved. Effective management of security, risk and compliance in DevOps, as well as the various teams involved, cannot come at the expense of control, consistency and accountability. While these are not the first words that spring to mind when considering DevOps models, they offer some important guidelines on how to approach security with a clear, offensive strategy.


As DevOps continues to evolve as an alternative to traditional waterfall and a natural extension of agile development, there is a risk that security be left behind. To give yourself more control over security and risk management, it is important to make a proactive shift into DevSecOps. This security-enhanced mindset supports the notion of integrated security from the start, a continuous cycle much like an infinity loop, with each phase flowing into the next. Without a closed-loop process, risk managers have no way to validate remediation. Proactively incorporating security earlier in the process creates shorter feedback loops and eases complexity, enabling engineers to find and fix issues more readily.

But we all know, building perfectly secure applications isn't possible. That is why leaders must balance the need for speed and security by embracing the iterative nature of Agile, where progress can be made incrementally over time. Although this may not feel like control, this type of collaborative workflow preserves the teamwork, agility and speed of DevOps while allowing security to integrate at multiple points in the software development lifecycle (SDLC). And the earlier security is introduced into the SDLC, with scanning tools in place at every phase, the more control you have over your application security and vulnerability management program. Without an offensive plan, security will only get harder.

To achieve this without hampering the velocity of teams, it important for your toolchain to give you the ability to centrally define and manage security policies, but enable teams to apply them programmatically within their pipeline.


Developers often rely on basic security tools to build applications, but there are no consistent DevOps processes for security testing, and point security tools often fall short of expectations. This means applications may well be deployed into production with critical vulnerabilities — at which point, they are much harder to find and even more expensive to fix. To achieve consistent testing, there is a need to incorporate multiple application security tools and orchestrate their execution within the development process. This will help companies build and deliver applications that are more secure from the outset and support them in effectively meeting business, customer and governance demands.

Consistency in DevOps is also about driving quality standards. To push out top-notch software, as quickly and affordably as possible, you need comprehensive, continuous and accurate visibility into where risk lies — and how it might impact the business. This comes from testing, early and often. Automating your testing to run continuously in deployment, instead of performing manual operations, allows teams to utilize static and dynamic analysis (SAST and DAST), as well as software composition analysis (SCA) for control over open source components, to gain better visibility. Orchestrating these testing processes within a continuous integration and delivery (CI/CD) pipeline is the way to consistently enforce an application security program without impacting the autonomy or velocity of the teams.


DevOps isn't all about playing nicely with others. It demands real accountability, especially when things go wrong. Who is ultimately responsible for security in such a model? And how does this accountability question affect the delivery of reliable software? In keeping with the DevOps mentality, both delivery teams and security practitioners play a role in keeping software secure. But when everyone is accountable, sometimes no one is accountable — especially as the size of a company grows.

Without the right tools and processes in place to support the DevOps journey, chaos ensues. This is where proactive, offensive action comes in. Teams cannot gain the visibility they need without the proper tooling and an efficient process in place to know who is responsible for addressing security issues. This is why organizations must begin to focus on adopting tools that optimize visibility into their applications. As more businesses transition into a DevOps mindset, the need for well-defined roles and processes will become increasingly valuable.

This level of accountability happens in the build functions themselves. By creating a loop of constant feedback, where software can be built, analyzed and tested by cross-functional teams — and with automation speeding up the entire delivery process — people can begin to rely on systems for better security. This level of tight integration among development, operations and product security is key to reaching your business goals because it ensures the delivery of a secure product. But many organizations say breaking down walls and building bridges of shared accountability in DevOps is a struggle, both to understand and to implement. The key is to operationalize this within the toolchain itself, leverage ChatOps for alerting, and use reporting capabilities for inspection and review.


All organizations are under pressure to deliver value faster. DevOps is transformational and allows organizations to achieve this goal. In the same vein as quality, application security is not optional. Compromising on security exposes a company to risk, of intellectual property, customer data and/or brand integrity.

The key to ensuring application security happens, without scaling back the velocity of the organization, is to be proactive and offensive. To do so, you will want to apply the mindset of DevOps to your application security program. By investing in the proper tooling, you gain the ability to centrally define security policies but enable teams across the organization to apply them programmatically through automation and orchestration, right within their delivery pipelines.

Using ChatOps for alerting and reporting capabilities to assess the overall risk posture allows organizations to meet their security requirements without impacting the velocity of their teams. It allows them to accelerate software delivery by speeding up the discovery and remediation of security vulnerabilities while offering customer value — quickly and securely.

Christian van den Branden is SVP Engineering at ZeroNorth
Share this

Industry News

February 22, 2024

Check Point® Software Technologies Ltd. introduces Check Point Quantum Force series: an innovative lineup of ten high-performance firewalls designed to meet and exceed the stringent security demands of enterprise data centers, network perimeters, campuses, and businesses of all dimensions.

February 22, 2024

Tabnine announced that Tabnine Chat — the enterprise-grade, code-centric chat application that allows developers to interact with Tabnine AI models using natural language — is now available to all users.

February 22, 2024

Avaamo released Avaamo LLaMB™, a new low-code framework for building generative AI applications in the enterprise safely, securely, and fast.

February 21, 2024

CAST announced the winter release of CAST Imaging, an imaging system for software applications, with significant user experience (UX) enhancements and new features designed to simplify and accelerate processes for engineers who develop, maintain, modernize, complex software applications.

February 21, 2024

Pulumi now offers native ways to manage Pinecone indexes, including its latest serverless indexes.

February 21, 2024

Orkes, whose platform offers the fastest way to scale distributed systems, has raised $20 million in new funding.

February 20, 2024

JFrog and Carahsoft Technology announced a partnership that empowers U.S. Government organizations to safeguard their software supply chains with automated DevSecOps workflows to secure software services consumed by citizens.

February 20, 2024

Multiplayer, a collaborative tool for teams that work on system design and distributed software, announced its public beta.

February 20, 2024

DataStax announced its out-of-the-box retrieval augmented generation (RAG) solution, RAGStack, is now generally available powered by LlamaIndex as an open source framework, in addition to LangChain.

February 20, 2024

UiPath announced new features in its platform designed to enable developers to build, test, and accelerate implementation of automations.

February 15, 2024

Kong announced a suite of open-source AI plugins for Kong Gateway 3.6 that can turn any Kong Gateway deployment into an AI Gateway, offering unprecedented support for multi-Language Learning Models (LLMs) integration.

February 15, 2024

ngrok unveiled early access to its API gateway-as-a-service.

February 15, 2024

Tabnine announced a strategic partnership with DigitalOcean.

February 15, 2024

Salt Security announced that the Salt Security API Protection Platform is now available for purchase in the CrowdStrike Marketplace, a one-stop destination for the world-class ecosystem of CrowdStrike compatible security products.

February 14, 2024

Perforce Software signed a definitive agreement to acquire Delphix.