Integrate AppSec for a True DevSecOps Culture
With developers and security teams pushing themselves for quicker production times, higher velocity and increased cost savings, I’ve found that one way to achieve all of these objectives is by creating a DevSecOps culture in your organization. If you’re currently viewing security as individual, one-off issues or in a reactive fashion, you’re putting your system at serious risk for an attack – with huge cost implications. And while some companies see developers and security as teams who operate best when they’re working separately, many have discovered that integrating AppSec into DevOps will actually improve their performance at every level.
Here’s how to get started:
Overcome resistance to change
I’ve found that “not wanting to change” is usually the biggest reason organizations are hesitant to integrate DevSecOps. Change takes time and effort. Developers and security must work together, and there tends to be a learning curve on both sides. Developers need to learn how vulnerabilities are introduced into the development process, and the security team needs to understand coding to provide examples (e.g. input sanitization, parameterized SQL inquiries). Be aware of the time this takes, but be assured that it’s worth it.
Foster a culture of openness
DevSecOps is a true cultural shift dependent on communication, and you’ll be selling the concept short if you look at it any other way. By having an open flow of communication between your development and security teams, you’re promoting a culture of collaboration and continuous learning which is necessary when integrating functional areas. One helpful tip is to develop use and abuse cases. These provide illustrative models of not only how an application can be appropriately used, but also where ‘bad actors’ can exploit the application.
Make security your default setting
With more high-profile security breaches than ever, sustainable security needs to be top of mind. After all, a crucial part of DevSecOps culture is having security integrated within all DevOps practices. Conduct regular scans, risk assessments, and penetration tests, and don’t forget: the majority of successful cyber attacks happen due to human error.
Encourage developers to become security-aware
Once developers see how vulnerabilities can be exploited in real time, it’s very easy for them to understand the importance of application security. I’ve seen this many times when working with developers; once you sit down with them and start performing a penetration test, or demonstrate concepts like cross site scripting, SQL injection, or command injection, they understand the implications and want to produce secure code. Sometimes it just takes a little collaboration with the security team to help accomplish this.
Once security is integrated into DevOps you’ll see the time-to-production speed up. Having security as part of the development process reduces the need for additional penetration testing, as well as dynamic and static analyses to ensure the security of the application. With DevSecOps, it’s easier to spot vulnerabilities much earlier, so you can avoid costly delays.
Having an integrated team means developers can write secure code from the beginning, and the security team can spend more time on key initiatives like vulnerability management and endpoint security. Achieving a fundamental shift in your DevOps approach can seem overwhelming, but by integrating AppSec, and therefore prioritizing collaboration and openness, you’ll soon be reaping the benefits that accompany a DevSecOps culture.
About the Author:
Joe Sullivan is a principal consultant at Rural Sourcing in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.