Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

6 Tips for Transforming Technology to Achieve DevSecOps

DZone's Guide to

6 Tips for Transforming Technology to Achieve DevSecOps

DevSecOps is growing in popularity, as it allows dev teams to improve the quality and security of their code. Learn how to implement it on your team.

· Security Zone
Free Resource

Discover how to protect your applications from known and unknown vulnerabilities.

The goal of DevSecOps is to build a bridge between fast and secure software development. Some in the DevOps and AppSec universe maintain that the primary foundations of a DevOps or DevSecOps initiative are the right mindset about quality and processes that support continuous improvement and learning at velocity.

Yet you cannot achieve DevSecOps without the right technologies for integrating security throughout the software lifecycle. The Developer's Guide to the DevSecOps Galaxy explores several strategies for transforming your culture, processes, and technology to build security into DevOps. Let's look at six tips for transforming technology.

1. Automate Security

The ability to automate security testing through scripting, static and dynamic analysis, composition analysis, and processes goes a long way toward identifying flaws early in the lifecycle and speeding up the delivery of secure code.

2. Detect Security Flaws Early

DevSecOps assumes that it’s wise to fail at the developer's desktop rather than on the customer’s laptop or smartphone. Finding code vulnerabilities early requires IDE plugins that deliver instant insights and remediation guidance as problems are introduced.

3. Break the Build

Introducing a security gate in a DevOps build process means that tools can block a release. As a result, they must be configured properly. You also must define and document the exception process because there are essentially two options: go back and fix the problem — potentially delaying the release — or accept the risk and push out the release. Don’t wait to document the exception process until the first time you need it.

4. Don’t Accept High False-Positive Rates

Achieving an effective “break the build” approach requires technology that can deliver valid findings via reports and dashboards, creating operational visibility. Keeping false positives low allows development teams to trust that security tools won’t create additional work for them — otherwise, they’ll start distrusting and working around them.

5. Use Composition Analysis

Composition analysis tools can scan entire applications and open-source components to ensure development teams aren’t inadvertently including code with known vulnerabilities. In addition, composition analysis allows you to build an inventory of the components you’re using, so it’s easier to locate and update them when a vulnerability is disclosed. The March 2017 disclosure of a critical vulnerability in Apache Struts 2 left many organizations scrambling — if they even knew they had vulnerable versions of the component — as attackers began exploiting Struts 2 almost immediately.

6. Emphasize Orchestration

Today, it’s possible to spin up computing power through the cloud, grab code from online libraries, and use automated tools to speed software development. As almost everything, including infrastructure, becomes code, finding and eliminating vulnerabilities is mission critical. Recognize that all systems are prone to bugs and errors. You need to "orchestrate" code and systems during rapid spin-ups and shut-downs.

Getting to DevSecOps

Along with the right technology, a DevSecOps framework requires robust processes tied to metrics and key performance indicators and a culture of security.

Find out how Waratek’s award-winning virtualization platform can improve your web application security, development and operations without false positives, code changes or slowing your application.

Topics:
security ,devsecops ,security best practices ,automation

Published at DZone with permission of John Zorabedian, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}