DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > 6 Tips for Transforming Technology to Achieve DevSecOps

6 Tips for Transforming Technology to Achieve DevSecOps

DevSecOps is growing in popularity, as it allows dev teams to improve the quality and security of their code. Learn how to implement it on your team.

John Zorabedian user avatar by
John Zorabedian
·
Jun. 23, 17 · Security Zone · Analysis
Like (1)
Save
Tweet
1.49K Views

Join the DZone community and get the full member experience.

Join For Free

The goal of DevSecOps is to build a bridge between fast and secure software development. Some in the DevOps and AppSec universe maintain that the primary foundations of a DevOps or DevSecOps initiative are the right mindset about quality and processes that support continuous improvement and learning at velocity.

Yet you cannot achieve DevSecOps without the right technologies for integrating security throughout the software lifecycle. The Developer's Guide to the DevSecOps Galaxy explores several strategies for transforming your culture, processes, and technology to build security into DevOps. Let's look at six tips for transforming technology.

1. Automate Security

The ability to automate security testing through scripting, static and dynamic analysis, composition analysis, and processes goes a long way toward identifying flaws early in the lifecycle and speeding up the delivery of secure code.

2. Detect Security Flaws Early

DevSecOps assumes that it’s wise to fail at the developer's desktop rather than on the customer’s laptop or smartphone. Finding code vulnerabilities early requires IDE plugins that deliver instant insights and remediation guidance as problems are introduced.

3. Break the Build

Introducing a security gate in a DevOps build process means that tools can block a release. As a result, they must be configured properly. You also must define and document the exception process because there are essentially two options: go back and fix the problem — potentially delaying the release — or accept the risk and push out the release. Don’t wait to document the exception process until the first time you need it.

4. Don’t Accept High False-Positive Rates

Achieving an effective “break the build” approach requires technology that can deliver valid findings via reports and dashboards, creating operational visibility. Keeping false positives low allows development teams to trust that security tools won’t create additional work for them — otherwise, they’ll start distrusting and working around them.

5. Use Composition Analysis

Composition analysis tools can scan entire applications and open-source components to ensure development teams aren’t inadvertently including code with known vulnerabilities. In addition, composition analysis allows you to build an inventory of the components you’re using, so it’s easier to locate and update them when a vulnerability is disclosed. The March 2017 disclosure of a critical vulnerability in Apache Struts 2 left many organizations scrambling — if they even knew they had vulnerable versions of the component — as attackers began exploiting Struts 2 almost immediately.

6. Emphasize Orchestration

Today, it’s possible to spin up computing power through the cloud, grab code from online libraries, and use automated tools to speed software development. As almost everything, including infrastructure, becomes code, finding and eliminating vulnerabilities is mission critical. Recognize that all systems are prone to bugs and errors. You need to "orchestrate" code and systems during rapid spin-ups and shut-downs.

Getting to DevSecOps

Along with the right technology, a DevSecOps framework requires robust processes tied to metrics and key performance indicators and a culture of security.

Published at DZone with permission of John Zorabedian, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Why to Implement GitOps into Your Kubernetes CI/CD Pipelines
  • Best Practices for Resource Management in PrestoDB
  • Everything I Needed to Know About Observability, I Learned from ‘Bewitched’
  • How To Deploy Apache Kafka With Kubernetes

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo