This post is from the Arxan blog and has not been updated since the original publish date.
Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought
What are the key considerations and components of DevSecOps?
The intention of DevSecOps is to build the mindset that everyone is responsible for security — and that security needs to be built into your process, rather than as a perimeter around apps and data.
Normally during the Software Development Life Cycle (“SDLC”), traditional security teams were isolated to a specific team in the final stage of development. This waterfall approach was not a problem when development cycles lasted months or years. However with the rise of agile, Continuous Integration (“CI”) and Continuous Deployment (“CD”) models — this is no longer a feasible approach.
DevSecOps involves creating a flexible collaboration between release engineers and security teams in order to build security into the DevOps process. This seeks to avoid the bottleneck effect of older security models on the CI/CD pipeline — but requires increased communication and shared responsibility between development, IT and security teams to ensure that security testing and implementation is done in iterations during code development, as opposed to shortly before release.
The two primary benefits of DevSecOps are:
- Better ROI of existing security infrastructure
- Improved operational efficiencies across security and the rest of IT
The six important components of a DevSecOps approach are:
- Code Analysis: Deliver code in small chunks, so vulnerabilities can be identified quickly
- Change Management: Increase speed and efficiency by allowing anyone to submit changes, then determine whether change is good or bad
- Compliance Monitoring: Be ready for an audit at any time
- Threat Investigation: Identify potential emerging threats with each code update and be able to respond quickly
- Vulnerability Assessment: Identify new vulnerabilities with code analysis, then analyze how quickly they are responded to and patched
- Security Training: Train software and IT engineers with guidelines for set routines
By integrating security into the agile development process, organizations will be able to address security threats more effectively, in real time. Making security a shared responsibility between development, IT and security teams should help change the perception that security is a burden and slows down the agile process — in addition to sensitizing the entire team to the need for speed and agility to deliver new solutions to market.
To learn more about how to start implementing a DevSecOps process into your organization, read our blog next week.