You are here

The state of DevSecOps: 5 best practices from the front lines

public://pictures/Romeo-Chris.jpg
Chris Romeo, CEO, Security Journey

Ladies and gentlemen, citizens of the Internet, could this be the year when DevSecOps finally catches on everywhere

DevOps is continuing to cause culture shifts far and wide, as old-school enterprises attempt to shift their software development and delivery approaches and adopt a DevOps mindset. There is a maturity divide between the haves and have-nots of DevOps, and this has an impact on security.

The story is the same; we've been telling it for years about agile, to the point where it's become a joke: Ask two companies what agile is, and you get three different answers.

The same applies to DevOps. We all know the guiding principles of DevOps, but organizations are picking and choosing from those principles and still calling it DevOps. The non-negotiable nature of secure DevOps, or DevSecOps, states that "the DevOps culture embeds security within." 

The trend in 2019 continues down the path of evangelizing "shift left," "build security in," and "just do security in DevOps." The best place to do security in DevOps is sprinkled across the entire pipeline.

There certainly are plenty of vendors creating solutions focused on securing the build pipeline and operating at speed and scale. This is a good evolution for our industry and provides more tools to perform the automated tasks that we need. 

Other trends affecting DevSecOps include containerization, microservices, and serverless

More people are talking than acting on DevSecOps, and that is because the struggle is real. There is an industry immaturity in the DevOps approach that affects most companies. Case studies always focus on the highflying, top-of-industry DevOps champions. Sure, the Netflixes and Etsys of the world operate securely at speed and scale, but they are not average DevOps consumers.

Security is hard enough to build in when things work in yearly cycles. Now that we have to take tools that used to take eight hours to run and try to get them down to seconds, this just adds to the struggle. Software supply chain and third-party software management of vulnerabilities continue to wreak havoc across modern applications.

Despite the current state of DevSecOps there is hope. Best practices are emerging. Here are the most successful ones to consider this year.

How to Get the Most From Your Application Security Testing Budget

1. Put your talk into action

Make a plan for real action about how to integrate security into your DevOps pipeline. Honestly assess where you are today and where you want to go in the future. Build an achievable plan and then start to implement. 

2. Deploy open-source governance

Open-source governance is more than just a tool. Yes, some tools provide this capability; these tools are quite good at tracking usage and vulnerabilities. But more than tools, deploy the open-source governance process that adds real consequences for the use of vulnerable open-source software. 

It's 2019; we all know this is a problem. Moreover, of all the challenges we have to deal with, this is not that hard.

There are plenty of commercial providers of software composition analysis tools, but also check out OWASP's Dependency-Track project.

[ Webinar: How to Fit Security Into Your Software Lifecycle With Automation and Integration ]

3. Automate all security things, including threat modeling

The most mature DevSecOps programs are executing a full suite of application security automation. These automated tools include static application security testing, dynamic application security testing, software composition analysis, and interactive application security testing.

The security vendors have great solutions here, so push them to provide you with products that are truly automated. And create a culture where security tools make developers' lives more comfortable and not more difficult.

Do not ignore the forgotten manual tool right in front of you: threat modeling. Different levels of threat modeling occur in a DevOps context. You can achieve threat modeling as code through the use of new approaches. You'll still need to consider threat modeling at the higher-level architecture layer, but threat modeling as code increases your automation levels significantly.

4. Implement container security

Container security includes many issues for consideration. Containers can contain open source, and that software can contain vulnerabilities. Non-approved images provide features and functionality that do not meet your organization's vision (crypto-mining, anyone?).

Secrets management is notoriously tough and is all too often done using GitHub and a YAML file.

Develop your container security solution, and piece together open-source and commercial solutions to address these issues. Containers provide a massive advantage to security, with isolation and dependency conflicts things of the past. But you must take steps to address open-source vulnerabilities, use of non-approved images, and secrets management.

[ Partner resource: Take Security Journey's first two white belt modules for free. ]

5. Design consistent security for microservices, APIs, and serverless

Design and deploy consistent security for all unique approaches to application delivery. Integrate all of your services into your secure DevOps pipeline. While microservices, APIs, and serverless sit above the pipeline, they are the areas that require the most consistent security focus for 2019 and beyond.

These areas suffer from a lack of consistent security implementation. Take a look at your consistency across these areas; you might be surprised to find that your security approach is different for each category.

Don't hold your breath

DevSecOps has not arrived with the rush of the new year. DevSecOps is still immature—not in methodology, but in implementation. This is the year we need to take more action and talk less.

Solve the open-source problem once and for all with a governance structure that mitigates software deployment with vulnerabilities. Truly automate all the security things, including the containers.

Educate your teams to apply security consistently, across all the unique approaches to application delivery. The code you save might be your own.

[ Report: The State of Application Security in the Enterprise ]