The integration of secure development best practices and methodologies into development and deployment processes is called SecDevOps. Meaning that SecDevOps aims to prevent security issues from appearing during the development process.
What is DevOps
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary to Agile software development; several DevOps aspects came from the Agile methodology.
How DevOps Works
The concept of DevOps practices and agility is nothing new for most companies and developers circling the sun. The most well-known frameworks (e.g., Scrum, XP, etc.) are applied in many development teams and benefits teams, companies, and customers. For example, evidence shows that agile methods cause better performances in comparison to the outdated waterfall method.
According to Puppet’s 2017 State of DevOps Report, high-performing DevOps organizations deploy code 46 times more frequently, with changes being one-fifth as likely to fail in comparison with their lower-performing counterparts.(newrelic.com)
The outdated waterfall method is the most significant contributor to project failure and security concerns for many companies. Another problem with traditional step-by-step programming is that products do not meet customers’ demands and need to be redesigned, taking time and money. So instead, development teams work closely with the customer through DevOps pipelines and continuous deployment and adjust fewer things at the end of the project.
SecDevOps – Putting Security in the Development Pipelines
The goal of DevOps is to create and integrate more features in a shorter time. The risk of this agility is that new versions’ security testing is only applied at the end of the project or after significant releases. Or in some cases, external security teams are hired to perform code reviews or penetration tests.
Since testing takes time and resources or seeking security professionals, developers often do not write their security tests for the software. That is why many companies release new software versions without prior even basic security practices being performed. Especially in the area of web applications, these untested versions become a prime target for hackers.
This lack of continuity in security activities contributes to the 30,000 websites that are hacked every day. So now, the question arises: How can companies leverage the potential of DevOps development while also creating secure software?
SecDevOps Moves Application Security to the Left
And the answer is… shifting security to the left, which is what SecDevOps focuses on. Everyone is responsible for security from the start, even if they adopt an incident response system.
Developers need to make decisions with secure coding practices in mind. They use threat models and have a test-driven environment that includes security test cases. Continuous integration and security testing need to be part of the process and product lifecycle.
A thorough understanding of how the application works to identify how it can be vulnerable is required by SecDevOps. This will give you an idea of protecting it from security threats and establishing proper security guidance. Meaning threat models are often used throughout the development lifecycle to accomplish this and prevent security flaws.
The SecDevOps approach helped the company speed up its development process while reducing code vulnerabilities by 40 to 50 percent.
Example SecDevOps Workflow
Developers use a version control management system to keep track of code changes and collaborate on projects. They can also separate tasks by using branches. To simplify it, it looks a lot like the following steps:
- The developer creates code following the security requirements and commits the changes to the version control system.
- Another dev team member receives a task to review the submitted code by analyzing the static code and checking for security issues or bugs.
- Submitting the code to the test environment and applying the security configurations.
- Running a dynamic automated security testing tool on the test environment app.
- Pushing the app from Test to Production environment.
- Running continuous security monitoring on Production for any active cyber threats.
Best practices for SecDevOps
On the one hand, higher agility leads to a higher production speed and more features in a shorter period. On the other hand, however, this might lead to complexity and security breaches.
On the other hand, security is necessary to protect a business but takes time to implement the agility enemy. So, how are companies able to combine the two?
We want to share a few practices to consider when integrating security and agility to create SecDevOps.
- Security policies and activities shouldn’t be seen as an additional layer put upon DevOps after every deployment but rather as a continuous practice that needs to be thought of from the very beginning of every development cycle.
- Development teams need to reconsider existing processes and practices. Every application or tool needs to be thoroughly checked, to whether it negatively impacts the companies’ security. Perhaps additional mechanisms need to be implemented to monitor the security status of a project.
- To fully implement a security mindset into every corner of the company, Executives have to make sure that a “Security Culture” is lived in every department of the organization.
- As it is neither sufficient to solely think of security at the beginning of the end of a development cycle, developers need to have it in the back of their minds at every point in time. However, this can be exhausting if multiple projects are handled, and the security needs to be checked manually. A simple solution is the implementation of an automated security testing software or SecDevOps tools.
For example, Crashtest Security offers an automated security scanner that continuously checks an application after deploying it to the test system. That way, developers can concentrate on creating features that create business value.
Top SecDevOps Benefits
We have already shown how companies can protect what they created using DevOps. Additionally to the support that comes with security, a few aspects are only possible by integrating SecDevOps. Below, we have put together three major benefits of implementing IT security.
- Enhanced Productivity: With an integrated security framework, developers are enabled to work more efficiently. Every product iteration is secured, and there has to be no worry to spend on security once the project is close to being finished. Additionally, suppose the entire IT infrastructure is safe. In that case, developers can work from anywhere with their computer without concern that a single computer can lead to a hacking attack (e.g., by entering a public Wi-Fi).
- Data Protection: After the employees, data is the most valuable asset for any company. Data is what leads to customer insights and higher business value. Losing access to business data (e.g., through a ransomware attack) can decrease productivity or freeze the entire IT infrastructure (as with the Sony example). In addition, it might lead to direct costs since most companies decide to pay the ransom. A loss of customer data can be even worse since a lack of customer trust has a high impact on sales in the long run.
- Cost savings: The benefits above already lead to (in-)direct cost savings. Additionally, implementing IT security saves money since the cost of fixing a vulnerability is ten times higher than the cost of securing the application in an earlier stage. As the EU issued the GDPR standards in 2018, companies also have to comply with the regulation to avoid high penalties and the public exposure of vulnerabilities that (probably) lead to decreasing sales.
If following the suggestions above, companies can enhance productivity and business value by implementing SecDevOps.
Read in our whitepaper how your company can quickly implement these other efficient security best practices!