DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Microservices Decoded: Unraveling the Benefits, Challenges, and Best Practices for APIs
  • How To Integrate Microsoft Team With Cypress Cloud
  • Why You Should Consider Using React Router V6: An Overview of Changes
  • Managing Data Residency, the Demo

Trending

  • Microservices Decoded: Unraveling the Benefits, Challenges, and Best Practices for APIs
  • How To Integrate Microsoft Team With Cypress Cloud
  • Why You Should Consider Using React Router V6: An Overview of Changes
  • Managing Data Residency, the Demo
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. DevSecOps: Integrating Automated Controls

DevSecOps: Integrating Automated Controls

With DevOps-native workflows, we have an unprecedented opportunity to apply security guidance sooner in our application lifecycles.

DJ Schleen user avatar by
DJ Schleen
·
Mar. 24, 17 · Opinion
Like (2)
Save
Tweet
Share
3.90K Views

Join the DZone community and get the full member experience.

Join For Free

Image titleAutomating security controls into any workflow has traditionally been seen as a challenging task for many organizations. Security continues to be an afterthought in many development pipelines and is still thought of as a hindrance or a blocker to producing software at a rapid pace. With DevOps-native workflows, we have an unprecedented opportunity to apply security guidance sooner in our application lifecycles and closer to the individuals who can remediate vulnerabilities the quickest.

One of the challenges for all of us as we automate security controls into our SDLCs is to ensure our product “conveyor belts” continue to operate with the same efficiency as if we had no security integration at all. Business needs require software to be developed and shipped in a timely fashion. Developers want to code the software in the most optimal way possible. The Operations team wants the application to be highly available and stable. And the Security team wants it to have no vulnerabilities and low risk to the organization. This isn’t a situation where having one team succeeding means another has to falter. Rather, it’s a perfect ecosystem for collaboration. Security is the responsibility of every individual in an organization and should never supersede the object being delivered. It should be an attribute.

From a security point of view, when we look for places to inject security controls into our workflows in an automated fashion, we need to identify ways to observe and collect data in both a passive and an active way. Passive ways of producing data could include methods to calculate defect density for a collection of code after a static code analysis has been performed or to calculate the risk ranking for a codebase based on code smell, whereas an active way of producing data may be the action of pausing the release pipeline to perform a vulnerability scan itself. Active collection is where we need to be the most careful when we integrate automated tools into our pipeline.

When you are generating data in an active way, you can potentially be a bottleneck in your release pipeline. When we look at the results of the survey data for companies with more than 500 developers, we see that slightly more responses agree that integrating security controls in an automated fashion is somewhat difficult.

It’s possible within the next year, the industry could tip the scales as we discover innovative ways of automating security tools into our workflows. If we focus on shortening the time required for security related active data collection to take place we can ensure we are not interrupting the feature pipeline. We can accomplish this by ensuring vulnerability scanning happens as early as possible in the lifecycle, that we are splitting our code bases into manageable and sensible pieces, and by treating any security vulnerability in the same fashion as we do a bug or a feature. Look into incremental scanning to increase performance during gated check-ins of your code bases, and full scans that run in parallel to and out of band of your pipeline.

DevOps-native workflows widely vary from organization to organization so when integrating your security toolsets, ensure you align your security-related goals with the goals of your fellow team members. Don’t be a blocker, be a security enabler. Secure your code and processes, and above all keep on shipping.

This blog is one of seven in a series providing expert commentary and analysis on the results from Sonatype’s 2017 DevSecOps Community Survey. For access to all of the blogs in this series and the survey report, see here. DJ Schleen (@dschleen) is DevSecOps Evangelist in the healthcare industry, and is a guest blogger for Sonatype's 2017 DevSecOps Community Survey.

security Security controls

Published at DZone with permission of DJ Schleen, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Microservices Decoded: Unraveling the Benefits, Challenges, and Best Practices for APIs
  • How To Integrate Microsoft Team With Cypress Cloud
  • Why You Should Consider Using React Router V6: An Overview of Changes
  • Managing Data Residency, the Demo

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: