In the space of time it takes you to read this blog post and finish your morning coffee, a company at the vanguard of DevSecOps, such as Etsy, Amazon or Netflix, will have completed yet another deployment – one of potentially thousands per day. Deployment frequency has accelerated to a pace that would have been unthinkable just six years ago, often at the cost of robust security assurance of the code under development.
So, the natural question is: How can companies effectively scale their security processes to keep pace with the velocity of development we see today?
My experience has been that a focus on automation alone is insufficient. Instead, it takes a blend of automation, cultural change and integration of security processes throughout the development life cycle to achieve effective layered security in such agile environments.
In my view, effective strategies for marrying security and DevOps are not yet being implemented broadly enough. A combination of budget constraints, a lack of awareness of security and governance best practices, and reactive approaches to security are to blame. Technology and business leaders need to carefully assess what changes are necessary to effectively secure their software development life cycles.
Effective DevSecOps demands that security practices be “shifted to the left” of the product development life cycle and integrated into each stage of development to identify and address security issues earlier and more cost effectively than is possible with a traditional, more reactive security approach. This new proactive testing paradigm engages security at the outset of the development process, empowers developers with effective tools to identify and remediate security findings and ensures that only secure commits are ultimately pushed to the code repository.
Beyond these changes, the most effective DevSecOps organizations are capturing continuous feedback from production security tools (e.g. IDS/IPS and RASP) to keep rule sets and policies for application security testing tools up-to-date and relevant to the latest threats. In addition, leading organizations are using interactive developer tools to aid identification of issues by providing tailored training to help developers identify commonly missed issues. Finally, organizations that excel at DevSecOps ensure that they relate security issues to their business context, which showcases security as an enabler rather than an inhibitor of business expansion.
Another key aspect of DevSecOps is infrastructure. Increasingly, legacy, appliance-focused solutions are being supplanted by software-defined networking, hybrid cloud environments (a mix of on-premises, private cloud and public cloud services with orchestration between all platforms) and network micro-segmentation (fine-grained security policies assigned to data center applications, down to the workload-level). This shift in the prevailing engineering paradigm demands that we should exercise zero trust inside or outside its perimeters, and instead verify any connection attempt before granting access. In addition, discovery, identity and access management and monitoring for perimeter assets becomes even more important with these changes.