With developers and security teams pushing themselves for quicker production times, higher velocity and increased cost savings, I’ve found that one way to achieve all of these objectives is by creating a DevSecOps culture in your organization. If you’re currently viewing security as individual, one-off issues or in a reactive fashion, you’re putting your system at serious risk for an attack – with huge cost implications. And while some companies see developers and security as teams who operate best when they’re working separately, many have discovered that integrating AppSec into DevOps will actually improve their performance at every level.
Here’s how to get started:
Overcome resistance to change
I’ve found that “not wanting to change” is usually the biggest reason organizations are hesitant to integrate DevSecOps. Change takes time and effort. Developers and security must work together, and there tends to be a learning curve on both sides. Developers need to learn how vulnerabilities are introduced into the development process, and the security team needs to understand coding to provide examples (e.g. input sanitization, parameterized SQL inquiries). Be aware of the time this takes, but be assured that it’s worth it.
Foster a culture of openness
DevSecOps is a true cultural shift dependent on communication, and you’ll be selling the concept short if you look at it any other way. By having an open flow of communication between your development and security teams, you’re promoting a culture of collaboration and continuous learning which is necessary when integrating functional areas. One helpful tip is to develop use and abuse cases. These provide illustrative models of not only how an application can be appropriately used, but also where ‘bad actors’ can exploit the application.
Make security your default setting
With more high-profile security breaches than ever, sustainable security needs to be top of mind. After all, a crucial part of DevSecOps culture is having security integrated within all DevOps practices. Conduct regular scans, risk assessments, and penetration tests, and don’t forget: the majority of successful cyber attacks happen due to human error.
Encourage developers to become security-aware
Once developers see how vulnerabilities can be exploited in real time, it’s very easy for them to understand the importance of application security. I’ve seen this many times when working with developers; once you sit down with them and start performing a penetration test, or demonstrate concepts like cross site scripting, SQL injection, or command injection, they understand the implications and want to produce secure code. Sometimes it just takes a little collaboration with the security team to help accomplish this.
Once security is integrated into DevOps you’ll see the time-to-production speed up. Having security as part of the development process reduces the need for additional penetration testing, as well as dynamic and static analyses to ensure the security of the application. With DevSecOps, it’s easier to spot vulnerabilities much earlier, so you can avoid costly delays.
Having an integrated team means developers can write secure code from the beginning, and the security team can spend more time on key initiatives like vulnerability management and endpoint security. Achieving a fundamental shift in your DevOps approach can seem overwhelming, but by integrating AppSec, and therefore prioritizing collaboration and openness, you’ll soon be reaping the benefits that accompany a DevSecOps culture.
About the Author:
Joe Sullivan is a principal consultant at Sparq in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.
Five Ways User Feedback Can Transform Your Product Strategy
User feedback is a critical asset that can provide valuable insights into your users' wants and needs. It can also give important observations into your application's overall performance. In this article, Principal Product Strategist Toyia Smith shares five ways to better incorporate user feedback into your product strategy.
Balancing Technical Debt and New Features: A Product Owner’s Guide
The term "technical debt" frequently emerges in discussions about software development, product health and organizational effectiveness. However, its true meaning and the balance organizations must find between managing this debt and new feature innovation can be confusing. In this article, learn how to manage that delicate balance so you can create an exceptional product.
Navigating Digital Product Discovery: A Guide to Avoiding the 5 Common Pitfalls in Custom Product Development
In digital product development, a well-structured discovery phase is critical to a product’s long-term success. However, bringing a digital product from concept to reality can be challenging. In this article, Principal Product Strategist Josh Campbell shares his guide to avoiding five common pitfalls during digital product discovery.
Preparing Your Business for the Realities of AI and Machine Learning: Beyond the Hype
The buzz around artificial intelligence (AI) and machine learning (ML) has almost certainly reached a fever pitch. With benefits including increased efficiency and enhanced customer experiences, many businesses are eager to take advantage of these technologies. In this article by Chief Technology Officer Derek Perry, learn why organizations need a solid foundation to ensure they're ready to harness the benefits of AI and ML, before jumping in headfirst.