CAST

A Case for DevSecOps

Sep 3, 2018 by Srinivas Kedarisetty

Gone are the days when Application security was the responsibility of only the security team. I remember, that even a few years ago when I was part of a development team, our software would go through security assessment only a few days before the Go-Live. Now it scares me when I realize that we decided to take a huge risk by deferring security assessment to the fag end of the development phase.

The increase in security incidents in the recent years has had one fortunate outcome and that is the realization by managers about the criticality of application security. Enterprises have started to look deeper into the development process and have started to include security assessments more frequently at various intervals. However, one challenge that organizations face is to adapt the security control process to the changing landscape of application development.  With DevOps being seen as the industry standard for efficient and fast software delivery, it is imperative that security be included in the model. Otherwise, the time taken to fix one critical security flaw found right before Go-Live may offset the entire savings made through adopting the best practices of DevOps.

DevSecOps takes DevOps to the next level by recognizing security as a critical component even during the development phase. The objective of DevSecOps is to build security and prevent flaws/violations from the beginning of the development. In the DevSecOps process an application security scanner tool is added to the DevOps pipeline so that a build would not pass unless the critical security flaws are fixed. Following this process has quite a few benefits as enlisted below.

  • Developers are much more aware of the security requirements of the system. Such holistic view of the application makes them more proficient in coding
  • Greatly reduces the time to fix the security flaws. The time to fix a flaw during development is much lesser than fixing one just before production
  • Encourages collaboration with the security assessment team rather than seeing the team as a roadblock to software delivery
  • Encourages rapid feedback staying true to the principles of agile delivery
  • Automates the security assessment step, reducing manual intervention and the consequent things that can go wrong

Like in any change management process, implementing DevSecOps will be successful only if the team and the management buy in into the idea. The developers should be trained in security principles and secure code practices. Once trained, they need to be incentivized to follow secure coding practices throughout the coding process.

In short, DevSecOps provides a great opportunity to build security into the product without skyrocketing the cost of product development.

Filed in: Application Security Risk & Security
Tagged: application security AppSec DevOps DevSecOps SAST
Get the Pulse Newsletter Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the very least libraries, frameworks or databases that get used in mission critical IT systems. In some cases entire systems being build on top of open source foundations. Since we have been benchmarking IT software for years, we thought we would set our sights on some of the most commonly used open source software (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST) market, we identified the 10 most significant vendors — CAST, CA Veracode, Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock, SonarSource, and Synopsys — and researched, analyzed, and scored them. This report shows how each measures up and helps security professionals make the right choice. Forrester Wave: Static Application Security Testing, Q4 2017 Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud migration 2.0: shifting priorities for application modernization in 2019 Research Report
Srinivas Kedarisetty
Srinivas Kedarisetty Security Product Owner
Srinivas has more than 18 years of experience in leading IT delivery teams across India, the U.S. and Europe while managing product security, microservices and SDK. Highly skilled in developing and driving products from conception through the entire product lifecycle, Srinivas has a track record of improving products and teams to create value for customers.
More Posts from Srinivas >>
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|

Get a Demo    •    Contact Us    •     Support    •     The Software Intelligence Pulse    •     Privacy Policy    •     SiteMap    •     Glossary    •     Archive

Copyright - CAST | All Rights Reserved