Category: shift left testing

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What do you consider to be the most important elements of a successful DevSecOps implementation?" Here's what they told us:

Automation

• Include the automation of security into the process. Automate as many steps as possible. Have DevOps teams engage the security side throughout the value stream, looking for hold points, templatizing security aspects, standardizing the process, automate so those things just happen as part of the process. Bring everyone together onto one team.
• Mobile grew out of DevOps and security was always important to the process. Netflix just does DevOps as part of engineering. Eliminate as many manual steps as possible so security becomes a first-class citizen in DevOps workflows. Add security to the mix. You can’t create a manual workflow, or it will get bypassed. Security has to be tightly coupled with Jenkins, JIRA, and other frequently used DevOps tools.
• Empower customers to get more automated when it comes to vulnerability management. There are four components to this: 1) people, more collaboration around shared goals around security; 2) processes move from waterfall of CD/CD/CI infusing security early in the process; 3) select tools and technology to increase the velocity of deployment in a DevOps model, remediate as you find errors or vulnerabilities, automate at speed; 4) guiding principles to follow around security and methodology. Create a measurement and monitoring piece.
• Integrate security into the CI/CD lifecycle. Bake security into the entire automation process. Bake in security automation like scanning and scanning different environments enables DevOps teams to create a certain level of hygiene. Invest in small cycles to set up profiles and a baseline to automate and detect hygiene risks.
• The most important elements of a successful DevSecOps implementation are automation and collaboration. 1) With DevSecOps, the goal is to embed security early on into every phase of the development/deployment lifecycle. By designing a strategy with automation in mind, security is no longer an afterthought; instead, it becomes part of the process from the beginning. This ensures security is ingrained at the speed and agility of DevOps without slowing business outcomes. 2) Similar to DevOps where there is close alignment between developers and technology operations engineers, collaboration is crucial in DevSecOps. Rather than considering security to be “someone else’s job,” developers, technology operations and security teams all work together on a common goal. By collaborating around shared goals, DevSecOps teams make informed decisions in a workflow where there is the biggest context around how changes will impact production and the least business impact to take corrective action.
• The key to successful DevSecOps is the automation of security controls inside the DevOps pipeline. Ten principles to follow for DevSecOps implementation: 1) Principle of least privilege for all services that process (read, write, or update) data. 2) Enforcing tight access security for API endpoints. 3) Running SAST (static application security testing) tools as part of the nightly build process and running DAST (dynamic application security testing) tools to identify security defects in running containers. 4) Scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline. 5) Automated tests for security capabilities wired into the acceptance test process. These automated tests include input validation as well as authentication and authorization enforcement. 6) Isolation of containers from one another, avoiding any dependencies and keeping them entirely stateless to eliminate high-value targets for attackers. 7) Automated security updates, such as patches for known vulnerabilities, by means of the DevOps pipeline with an audit log. 8) Reduce the attack surface by using a secure API gateway that enforces fine-grained and scope-grained access to sensitive API endpoints. 9) Automated service configuration management, allowing for compliance with security policies and the elimination of manual errors. 10) Continuous monitoring, audit, and remediation of security defects across the application lifecycle. Also, firewalls should continue to defend in-depth by isolating services. Intrusion detection is a lot harder using containers, so looking at network behavior helps detect abnormal traffic patterns. If possible, security tooling should be a gate to deployments (applies to SAST and DAST). However, all this automated flow should still be validated by external pen tests to make sure automation covers all aspects. Additionally, Incident Response plans should be created and practiced for all new environments to ensure they have the capability to preserve evidence to aid in investigations and staff knows how to execute the plan, either themselves or who to outsource it to.