DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > Set DevSecOps in Motion With Minimal Commotion

Set DevSecOps in Motion With Minimal Commotion

Read on for some helpful tips on how to integrate your security practices with your DevOps initiative and get your DevSecOps up and running.

Rani Osnat user avatar by
Rani Osnat
·
May. 02, 17 · Security Zone · Opinion
Like (2)
Save
Tweet
1.40M Views

Join the DZone community and get the full member experience.

Join For Free

DevOps professionals continue to believe they can’t do their jobs properly because security slows down operations. Security pros, meanwhile, have largely failed to integrate security measures into the DevOps initiative, resulting in unproductive friction.

I share the view that bridges the two sides by having information security professionals become actively involved in DevOps initiatives while remaining true to the spirit of DevOps, or as it’s called, DevSecOps. Information security pros need to buy into DevOps’ philosophy of teamwork, coordination, agility and shared responsibility. Not doing so will only further widen the current divide between DevOps and security.

DevSecOps should be a shared company objective where security checks and controls are applied automatically and transparently throughout the development and delivery of IT-enabled services in rapid-development DevOps environments.

Simply layering on standard security tools and processes won't work. Secure service delivery starts in development, and the most effective DevSecOps programs will start at the earliest points in the development process and follow the workload throughout its lifecycle.

Four DevSecOps Practices You Need to Set in Motion

To keep 2017 secure and harmonious, here are four practices that should be your first steps toward making DevSecOps a natural component of development and operations. Taking these steps -- essentially the automation of security controls -- will manage risk while not impeding DevOps agility.

1. “Shift Left” Security

DevOps talk a lot about “shifting left,” meaning that much of the responsibility for the final deliverable is now in the hands of developers. This applies to security as well, and developers should be educated about, tasked with, and motivated to adopt secure coding practices and take ownership of applying security best practices. This eliminates the conflict that might emerge later in the delivery process when security policies aren’t met and it’s too late to do anything but block the delivery.

2. OSS Software Module Identification, Configuration, and Vulnerability Scanning 

Developers (knowingly or unknowingly) download vulnerable OSS components and frameworks for use in their applications. Proper DevOps security means scanning all applications, system images, virtual machines and containers in development for unknown, embedded or vulnerable OSS components in the operating system, application platform and in the application itself.

3. Custom Code Scanning

Train developers to adopt a lightweight "spell checker" type scanning tool for quick checks of security within their integrated development environment as they create code. Automated scanning and security test software should be part of the continuous integration test toolchain. Don’t force developers to leave their native environment and toolchains.

4. Automating Security Controls

Information security architects need to automatically incorporate security controls without manual configuration in a way that is as transparent as possible to DevOps teams and doesn't impede agility. In the meantime, they also have to fulfill legal and regulatory compliance requirements and manage risk. This can happen by requiring security and management vendors, to fully API-enable their platform services and expose 100% of functionality via APIs. Vendors should also provide support for DevOps toolchain environments such as Chef, Puppet, and other automation tools.

Sticking to the original DevOps philosophy is imperative for the success of DevSecOps. Effective DevSecOps promotes teamwork, transparency, and improvement through continual learning.

To learn what Gartner have to say about DevSecOps and start seamlessly integrating security into DevOps, download the report here.

Information security DevOps Security controls

Published at DZone with permission of Rani Osnat, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • 5 Myths of Kubernetes
  • What Are Microservices?
  • How to Submit a Post to DZone
  • 12 Modern CSS Techniques For Older CSS Problems

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo