In its predictions for 2018, Forrester Research said it will be the year of enterprise DevOps. However, the great innovation that DevOps has unlocked by speeding up the software development lifecycle (SDLC) has also undermined traditional approaches to AppSec. As more companies embrace DevOps to accelerate software delivery, automation will be required to limit the security risks inherent within the split between the security and development team’s processes.
The appearance of DevSecOps has mostly been theoretical and frequently met with distrust about slowing the pace of releases down. First, there is often push back from app developer teams because security reviews can delay deployment and security tools create the “noise” of false positives for app developers. Second, old security tools were typically developed to protect applications from the outside-in: They rely on human understandings to acknowledge how the application works.
With the right tools, good DevSecOps can speed up the SDLC by removing manual processes. The organization must learn to clinch integrating DevOps, security, and development as a basic part of their business cultures. However, that should be attended by the modification in mentalities about what application security means.
Rather than focusing on security in individual and manual steps that are integrally silos, modern DevSecOps needs fully automating “security-as-code” baked into the CI/CD procedure with a full knowledge of both the development and production cycles Security, DevOps, and development teams will need a common security foundation that seamlessly integrates with all tools and processes across each group.
Making such a foundation will allow insight into the very building blocks of how profound data are both supposed to flow through external APIs and microservices, open source libraries, and what is happening in production. Furthermore, by understanding both what the application is supposed to do and what it is doing, CISOs can drive virtuous feedback loops.
Runtime security can be achieved by development insights that are both comprehensive and precise. Development knowledgeable by production analytics can order which code weaknesses to address. To accomplish this constant improvement loop, organizations must work to break down traditional work silos that exist because of a mismatch in prospects.
Application developers, evaluating for speed, need to receive security information correctly, early, and with adequate context to correct problems during software development. Security pros can similarly benefit by extending their knowledge more rooted in the dev cycle to understand the code at its DNA level. Only by truly following the code, can runtime protection be both comprehensive and precise.
Creating this reality needs an enormous cultural shift. Moreover, culture, like aircraft carriers, does not change directions quickly. It is not that traditional AppSec methods have no value today. The issue is that conventional approaches are too slow and too inexact, which is why they are progressively less effective as companies embrace new CI/CD. Good luck developing a culture in which each developer and security engineer thoroughly examines every alert that comes their way.
Rather than struggling the tide, DevSecOps must surf the wave. They must embrace the speed of new CI/CD and make everyone’s job easier by building automated security into the SDLC. This means automating run-time protection that is informed by build-time code analysis rather than using approaches that rely on manual intervention. Just as the DevOps movement is based on turning infrastructure into code, for 2019 to be the year that DevSecOps takes off, organizations must learn to automate security as code.