Tech topics

What is DevSecOps?

What is DevSecOps? Images

Overview

DevSecOps enables integration of security testing earlier in the application security earlier in the software development lifecycle, rather than at the end when vulnerability findings requiring mitigation are more difficult and costly to implement.

DevSecOps is an extension of DevOps, and is sometimes referred to as Secure DevOps. While DevOps can mean different things to different people or organizations, it entails both cultural and technical changes. Ideally, security is an implied requirement of successful DevOps.

DevSecOps requires planning application and infrastructure security from the start. The right tools can help meet the goal of continuously integrated security, including such decisions as selecting an integrated development environment (IDE) with security features. The tools and process must also be able to automate some security gates to keep from slowing down the DevOps workflow.

DevSecOps

Benefits of DevSecOps

Developers don’t always code with security in mind. With a DevSecOps mentality, developers are enabled with enhanced automation throughout the software and application delivery pipeline to eliminate coding mistakes and ultimately reduce breaches.

Teams that implement DevSecOps tools and processes to integrate security into their DevOps framework will be able to release secure software faster. Developers can test code for security and detect security flaws as code is written. Automated scans can be initiated as part of code check-ins, builds, releases, or other components of the CI/CD pipeline. By integrating with tools developers are already using, dev teams can more easily improve the security aspect of web application development.


What are key components of DevSecOps

DevSecOps approaches may include these important components:

  • Application/API Inventory
    • Automate the discovery, profiling, and continuous monitoring of the code across the portfolio. This may include production code in data centers, virtual environments, private clouds, public clouds, containers, serverless, and more. Use a combination of automated discovery and self-inventory tools. Discovery tools help you identify what applications and APIs you have. Self-reporting tools enable your applications to inventory themselves and report their metadata to a central database.
  • Custom Code Security
    • Continuously monitor software for vulnerabilities throughout development, test, and operations. Deliver code frequently so vulnerabilities can be identified quickly with each code update.
    • Static Application Security Testing (SAST) scans the application source files, accurately identifies the root cause and helps remediate the underlying security flaws.
    • Dynamic Application Security Testing (DAST) simulates controlled attacks on a running web application or service to identify exploitable vulnerabilities in a running environment.
    • Interactive Application Security Testing (IAST) provides a deep scan by instrumenting the application using agents and sensors to continuously analyze the application, its infrastructure, dependencies, dataflow, as well as all the code.
  • Open Source Security
    • Open source software (OSS) often times includes security vulnerabilities, so a complete security approach includes a solution that tracks OSS libraries, and reports vulnerabilities and license violations.
    • Software Composition Analysis (SCA) automates the visibility into open source software (OSS) for the purpose of risk management, security and license compliance.
  • Runtime Prevention
    • Protect applications in production – new vulnerabilities may be discovered, or legacy applications may not be in development.
    • Logging can inform you about what types of attack vectors and systems are being targeted. Threat intelligence informs threat modeling and security architecture processes.
  • Compliance monitoring
    • Enable audit readiness and a constant state of compliance for GDPR, CCPA, PCI, etc.
  • Cultural factors
    • Identify security champions, establish security training for developers, etc.

Making DevSecOps work for you

Step 1: Build Security into Software Requirements
Step 2: Test Early, Often and Fast
Step 3: Leverage Integrations to Make Application Security a Natural Part of the Lifecycle
Step 4: Automate Security as Part of the Development and Testing Processes
Step 5: Monitor and Protect Once Released


Fortify helps build security into DevOps

  • Holistic, inclusive, and extensible application security platform to orchestrate and guide your AppSec journey.
  • Embed security into application development and deployment with the Fortify Integration Ecosystem.
  • DevSecOps with Fortify enables enhanced testing automation throughout the CI/CD pipeline to find coding mistakes.
  • Automated static code analysis helps developers eliminate vulnerabilities and build secure software with Static Code Analyzer.
  • WebInspect dynamic application security testing analyzes applications in their running state and simulates attacks against an application to find vulnerabilities.
  • Take full control of your open source security compliance and community health with Debricked and Fortify.
  • Gain clarity across your enterprise by aggregating, analyzing, and reporting assessment results into a single pane of glass—regardless of origin—with Fortify Insight.

Industry-leading AppSec solutions

  • Holistic, inclusive, and extensible application security platform to orchestrate and guide your AppSec journey with the Fortify Platform.
  • Security as a service with Fortify on Demand by OpenText™.
  • Success of a product is best measured by customers. Gartner Peer Insights, G2s, Fortify customer success stories.
  • Proven leader in the Gartner Magic Quadrant for Application Security Testing.

Footnotes