Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

An Introduction to DevSecOps

DZone's Guide to

An Introduction to DevSecOps

Shifting security left is a big deal in the software industry right now. Read on to get an introduction to DevSecOps, and how it helps automate a lot of this shift.

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

Introduction

In today’s world, the way changes are occurring, everyone would like to Agile practices and delivery models. And with the introduction of DevOps, the industry is catching up with the need for secure environments that help developers create automated security testing/assessment solutions.

We can never forget security and need to include it as part of the Agile development cycle to help developers and to avoid shipping the solutions with critical vulnerabilities. To extend and add security testing/assessment support, DevSecOps (Dev+Sec+Ops) helps by extending the existing DevOps framework by adding in security tools to the CI process. This helps developers to uncover security specific issues in the code by executing the various security tests in an automated environment.

Challenges (Without DevSecOps)

  1. With the fast pace of development in the Agile world, there is a lack of focus on security during the development process.

  2. The quality of the solution is often compromised from a security standpoint while focusing on feature deliverables during the Agile development lifecycle.

  3. Further, it costs the organization's reputation when critical vulnerabilities are found in shipped solution(s).

  4. Customer sensitive data is compromised due to lack of security testing focus.

  5. A lot of manual effort in order to perform security testing can lead to a delay in uncovering critical vulnerabilities and, further, may result in either delaying the deliverables or shipping them with unknown vulnerabilities.

Solution 

In order to minimize the risk from a security standpoint, putting an automated security solution in place, which is integrated into our CI system (for example, Jenkins), can help uncover security-related issues earlier in the development cycle. This helps reduce the risk of critical vulnerabilities being shipped in our software.

A few well-known mobile/desktop security tools are listed below, as an example of SAST/DAST solutions.

  • Coverity
  • FindSecurityBugs (FindBugs Plugin)
  • AppScan
  • Drozer
  • AndroBugs
  • Dependency Checker
  • SUPER
  • QARK
  • HP Fortify
  • Lint

Graphical Representation

Image title

Conclusion

It is very important to include security in the Agile development lifecycle. With DevSecOps, developers can better understand the criticality of vulnerabilities that exist in their code and fix these vulnerabilities while still delivering fast, but more secure, product(s)/solution(s).

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
devsecops ,security ,secure coding ,vulnerabilities

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}