Read on to learn the six steps for implementing DevSecOps.
The DevSecOps culture has become a milestone in the history of technology, so much so that many recruiters started using this name even for job descriptions.
But where is the security when we implement agile delivery methodologies throughout the software production pipeline? Security cannot be left for later or even when an incident occurs. It must be addressed within the development process. DevSecOps came to solve this problem!
Understanding DevSecOps Implementation
It’s the tendency to automate all security checks, coding them into unit tests and using them early in software development, not at the end of the cycle.
It is then about security integrated with DevOps practices. This brings agility together with security from the conception of the project. So, we have the same workflow, adding the security components. How can we do that?
In this post, we will cover 6 steps for implementing DevSecOps. These are complex steps that require a lot of work to adapt. However, it is essential to consider each of them when choosing the work methodology:
- Perform security audits on current infrastructure and address failures
- Automate security tests
- Check code dependencies frequently
- Split scans into manageable chunks
- Integrate security tools with DevOps tools
- Continuously invest in training for the development team
1. Perform security audits on current infrastructure and address failures
Before starting the implementation of a new methodology, it is crucial to identify the current situation of the processes and services applied.
For this, it is necessary to conduct security audits on the entire infrastructure that currently supports your software projects.
Look at your systems from the attacker’s point of view and try to find the weakest points. This allows you to design effective countermeasures for potential security breaches, removing bottlenecks in processes or removing weak chains altogether.
Threat modeling can’t be automated, but it’s a beneficial exercise to keep your developers aware of potential security vulnerabilities and avoid creating new product code breach points.
2. Automate security tests
Once the current infrastructure has discovered and fixed vulnerabilities, it’s time to start developing automated security scanning solutions.
For this, it is necessary to code these solutions to be part of the unit test in the new features added. As such, security requirements are met from the beginning of the software development process, not being treated as the last thing before release.
According to a survey conducted by Sona type on QA and test automation in 2020, more than 44% of the more than 5000 respondents know that DevSecOps practices are essential. However, they do not have the time to implement these solutions. How is your team in this regard?
It is important to emphasize that this automation must be implemented with great care and caution. When running static application security tests (SAST) in test and staging environments, ensure that these tests only run on the latest additions to the code base.
Consider introducing Dynamic Application Security Testing (DAST) practices into your workflows if you haven’t already. Rather than verifying code in development and testing, this practice focuses on verifying the integrity and performance of applications running in production.
To help guide your path towards more secure software, OWASP has several documents that list critical application vulnerabilities.
3. Check code dependencies frequently
The migration of on-premises environments (private data centers that companies have internally) to the cloud has fueled the unprecedented growth of software development; after all, the IT industry has been able to complete projects faster, thus meeting the needs of customer requirements more quickly.
To further strengthen this approach, open-source software and modules become the primary approach to software delivery because developing all modules from scratch is essentially a waste of time and resources.
However, it is noticeable that using third-party code depends on its security flaws and vulnerabilities.
Because of this, it is essential to implement security checks on the dependency’s software solutions use.
GitLab, in its new version, has released a security panel and maintenance mode for software marked as compromised, so each project member is notified if the project they depend on is updated. Another way to do this is using the OWASP Dependency Checker tool, which can be added as a plugin to most browsers and CI/CD tools.
4. Split checks into manageable parts
When you don’t have Security implemented in the environment, one of the biggest problems (if not THE biggest problem) of introducing DevSecOps practices is the need to introduce them gradually.
There may be a very long list of required checks but implementing them in rapid succession will be a big challenge for your developers.
Instead, implementing just a few checks during each product development sprint allows the process to go much smoother and encounter less resistance from the technical and the teams involved in the process.
This gives the team time to tackle new tasks and integrate them into the daily routine of software delivery workflows.
Better to go slow, getting there consistently, than trying to force change and hurt the business overall.
5. Integrate security tools with DevOps tools
As we’ve seen, Security needs to be automated in DevSecOps. For it to be productive to work with this methodology, the security verification tools must be reliable and work well with the rest of the DevOps tools used in your team.
This allows for the seamless integration of security checks into your software delivery CI/CD pipelines and the cloud monitoring solutions used to maintain the performance of your production environment.
Solutions like Splunk, Selenium and other tools have cleaned and simple integrations with Kubernetes and Terraform, Jenkins and Ansible, ELK stack, Prometheus + Grafana, and other popular DevOps software.
6. Continuously invest in training for the development team
At this point, looking at the progress so far is essential. System auditing has already been performed, quality control through automated testing has already been implemented, code dependencies are checked regularly, security checks are gradually implemented into the existing pipeline, and security monitoring tools are integrated with other parts of the DevOps team toolkit.
It is usual for us to imagine that this is enough, and all security-related problems will disappear from the implementation of this step by step. However, when imagining something like this, we are far from getting it right.
As with the entire DevOps cycle, there is no end to the improvements applied. At each execution, it is possible to improve implementing DevSecOps described here. Adding new observations and corrections will only be possible after the team’s maturity increases according to the ’rounds’ of continuous improvement.