DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Set DevSecOps in Motion With Minimal Commotion

Set DevSecOps in Motion With Minimal Commotion

Read on for some helpful tips on how to integrate your security practices with your DevOps initiative and get your DevSecOps up and running.

Rani Osnat user avatar by
Rani Osnat
·
May. 02, 17 · Opinion
Like (2)
Save
Tweet
Share
1.83M Views

Join the DZone community and get the full member experience.

Join For Free

DevOps professionals continue to believe they can’t do their jobs properly because security slows down operations. Security pros, meanwhile, have largely failed to integrate security measures into the DevOps initiative, resulting in unproductive friction.

I share the view that bridges the two sides by having information security professionals become actively involved in DevOps initiatives while remaining true to the spirit of DevOps, or as it’s called, DevSecOps. Information security pros need to buy into DevOps’ philosophy of teamwork, coordination, agility and shared responsibility. Not doing so will only further widen the current divide between DevOps and security.

DevSecOps should be a shared company objective where security checks and controls are applied automatically and transparently throughout the development and delivery of IT-enabled services in rapid-development DevOps environments.

Simply layering on standard security tools and processes won't work. Secure service delivery starts in development, and the most effective DevSecOps programs will start at the earliest points in the development process and follow the workload throughout its lifecycle.

Four DevSecOps Practices You Need to Set in Motion

To keep 2017 secure and harmonious, here are four practices that should be your first steps toward making DevSecOps a natural component of development and operations. Taking these steps -- essentially the automation of security controls -- will manage risk while not impeding DevOps agility.

1. “Shift Left” Security

DevOps talk a lot about “shifting left,” meaning that much of the responsibility for the final deliverable is now in the hands of developers. This applies to security as well, and developers should be educated about, tasked with, and motivated to adopt secure coding practices and take ownership of applying security best practices. This eliminates the conflict that might emerge later in the delivery process when security policies aren’t met and it’s too late to do anything but block the delivery.

2. OSS Software Module Identification, Configuration, and Vulnerability Scanning 

Developers (knowingly or unknowingly) download vulnerable OSS components and frameworks for use in their applications. Proper DevOps security means scanning all applications, system images, virtual machines and containers in development for unknown, embedded or vulnerable OSS components in the operating system, application platform and in the application itself.

3. Custom Code Scanning

Train developers to adopt a lightweight "spell checker" type scanning tool for quick checks of security within their integrated development environment as they create code. Automated scanning and security test software should be part of the continuous integration test toolchain. Don’t force developers to leave their native environment and toolchains.

4. Automating Security Controls

Information security architects need to automatically incorporate security controls without manual configuration in a way that is as transparent as possible to DevOps teams and doesn't impede agility. In the meantime, they also have to fulfill legal and regulatory compliance requirements and manage risk. This can happen by requiring security and management vendors, to fully API-enable their platform services and expose 100% of functionality via APIs. Vendors should also provide support for DevOps toolchain environments such as Chef, Puppet, and other automation tools.

Sticking to the original DevOps philosophy is imperative for the success of DevSecOps. Effective DevSecOps promotes teamwork, transparency, and improvement through continual learning.

To learn what Gartner have to say about DevSecOps and start seamlessly integrating security into DevOps, download the report here.

Information security DevOps Security controls

Published at DZone with permission of Rani Osnat, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Kotlin Is More Fun Than Java And This Is a Big Deal
  • A Complete Guide to AngularJS Testing
  • How Observability Is Redefining Developer Roles
  • How to Develop a Portrait Retouching Function

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: