DevSecOps enables integration of security testing earlier in the software development lifecycle (SDLC). This is commonly referred to as “shifting security left” or “shift left.” DevSecOps enables seamless application security earlier in the software development lifecycle, rather than at the end when vulnerability findings requiring mitigation are more difficult and costly to implement.
DevSecOps is an extension of DevOps, and is sometimes referred to as Secure DevOps. While DevOps can mean different things to different people or organizations, it entails both cultural and technical changes. Ideally, security is an implied requirement of successful DevOps.
DevSecOps requires planning application and infrastructure security from the start. The right tools can help meet the goal of continuously integrated security, including such decisions as selecting an integrated development environment (IDE) with security features. The tools and process must also be able to automate some security gates to keep from slowing down the DevOps workflow.
Benefits of DevSecOps
DevSecOps enables enhanced automation throughout the software delivery pipeline to eliminate coding mistakes and ultimately reduce breaches.
Teams that implement DevSecOps tools and processes to integrate security into their DevOps framework will be able to release secure software faster. Developers can test code for security and detect security flaws as code is written. Teams should be able to use existing development tools to improve the security aspect of web application development.
What are key components of DevSecOps
DevSecOps approaches may include these important components:
- Application/API Inventory
- Automate the discovery, profiling, and continuous monitoring of the code across the portfolio. This may include production code in data centers, virtual environments, private clouds, public clouds, containers, serverless, and more. Use a combination of automated discovery and self-inventory tools. Discovery tools help you identify what applications and APIs you have. Self-reporting tools enable your applications to inventory themselves and report their metadata to a central database.
- Custom Code Security
- Continuously monitor software for vulnerabilities throughout development, test, and operations. Deliver code frequently so vulnerabilities can be identified quickly with each code update.
- Static Application Security Testing (SAST) scans the application source files, accurately identifies the root cause and helps remediate the underlying security flaws.
- Dynamic Application Security Testing (DAST) simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.
- Interactive Application Security Testing (IAST) provides a deep scan by instrumenting the application using agents and sensors to continuously analyze the application, its infrastructure, dependencies, dataflow, as well as all the code.
- Open Source Security
- Open source software (OSS) often times includes security vulnerabilities, so a complete security approach includes a solution that tracks OSS libraries, and reports vulnerabilities and license violations.
- Software Composition Analysis (SCA) automates the visibility into open source software (OSS) for the purpose of risk management, security and license compliance.
- Runtime Prevention
- Protect applications in production – new vulnerabilities may be discovered, or legacy applications may not be in development.
- Logging can inform you about what types of attack vectors and systems are being targeted. Threat intelligence informs threat modeling and security architecture processes.
- Runtime Application Self-Protection (RASP) instruments applications, directly measures attacks from the inside, and prevents exploits from within.
- Compliance monitoring
- Enable audit readiness and a constant state of compliance for GDPR, CCPA, PCI, etc.
- Cultural factors
- Identify security champions, establish security training for developers, etc.
Making DevSecOps work for you
Step 1: Build Security into Software Requirements
Step 2: Test Early, Often and Fast
Step 3: Leverage Integrations to Make Application Security a Natural Part of the Lifecycle
Step 4: Automate Security as Part of the Development and Testing Processes
Step 5: Monitor and Protect Once Released
Fortify helps build security into DevOps
- Automation in CI/CD pipelines
- SAST with Fortify Static Code Analyzer
- DAST with Fortify WebInspect
- RASP with Fortify Application Defender
- Software Composition Analysis (SCA) / Open Source Security (OSS) with Sonatype and Fortify
- Scale your application security