May 10, 2021

Securing the enterprise IT landscape has become a priority for most large companies; for the chief security officer, it has become critical to build in security features in software and applications. This is where DevSecOps comes in. Secure DevOps adoption needs multiple security controls to be embedded in the DevOps pipeline, along with other processes. There are five key things to keep in mind to retain enterprise agility while choosing and integrating security controls into the DevOps process:

1. Dynamic assessment control for applications and hosts

Automated triggering of dynamic assessment is simple to implement and is much better than manual testing of projects at random intervals. Dynamic application security testing (DAST) and vulnerability assessment (VA) of hosts can identify low-hanging vulnerabilities (such as configuration and authentication issues) before the application is released to production. Dynamic scanning helps developers realize which ‘real-world’ risk a vulnerability poses.

Most vulnerabilities stem from security misconfiguration. This means that automating the process by integrating DAST and VA scanners will reduce the risk by identifying more vulnerabilities and ensure prompt redressal. DAST and VA scanners are the simplest DevSecOps tools to integrate for maximum risk reduction with minimum effort.

2. Shifting left by bringing in DAST, component, and container-level security controls

Integrating security early in the DevOps toolchain is critical for any organization looking to build a robust and secure modern application. The earlier the integration, the more time teams get to fix any significant security weaknesses (be it code or design or operations). The first step in this direction is to get the security, development, and DevOps teams to decide on which tool to integrate, where to integrate it, and how to react to resulting vulnerabilities. Moreover, most modern security controls support automation and deliver results faster, eliminating wait times involved in manual testing.

3. Select the best security tools for DevSecOps

While it is true that enterprises that select the best security and DevSecOps tools get the best outcomes, most make the mistake of thinking that choosing highly rated security tools will get them the best results. What’s important is to focus on selecting the tools that best suit the organization’s technical landscape. This means:

  • Bucketing the right DevSecOps tools based on the purpose or outcome.
  •  Comparing DevSecOps tools against technological coverage. For instance, for code review, an enterprise should look at both the current and future technology support and extendibility.
  • Gauging the risk aspects. If, for example, the application deals with sensitive information that comes under regulatory audits, selecting an on-premise security tool is wiser than a cloud-based security provider. However, if there are no such obligations, a cloud-based SaaS security solution is a better option.
  • Understanding the popularity of security scanners among different system integrators. This is important because the ease of maintenance and administration are key to successful DevSecOps or secure DevOps implementation. Without the skills available, even a great system will be difficult to maintain and operationalize across the organization.

4. Agile DevSecOps / security tool set

The best security tools today may not be the best in the future, so it is important for organizations to be clued into the evolving security landscape. This is critical because switching security partners is easier said than done. Without skilled subject matter experts, migrating from one security tool to another is complex. That’s why a dependable security partner and automation of the security tool integration process into DevOps pipeline are important. After all, some things are best left to the machines.

5. Adopting DevSecOps automation and orchestration

Enterprises can look at automating the manual and time-consuming tasks of assembling security tools in the DevOps tool chain and centralizing vulnerabilities that are normally scattered across various interfaces and reports. In order to incorporate security tools from multiple vendors within a DevSecOps workflow, enterprises shall look at tools that are already having the in-built security orchestration engine to ensure continuous assurance, from detection to tracking to rectification.

Organizations can create or invest in DevSecOps automation wireframes or platforms that allow simpler integration capabilities with existing and new security tools. This will allow them to move in and out of any tool in the future while preventing the loss of historical data that is crucial to see how the security posture has evolved.

Securing the DevOps journey

There are numerous benefits of securing the DevOps pipeline. They include:

  • Getting immediate feedback on compliance to your security controls
  • Recording compliance throughout the year
  • Audit-ready procedural runbooks
  • An empowered team ready to innovate rather than worry about fixing security holes in production
  • An overall reduction in the enterprise attack surface

Analysis from trends show that a strategic shift in securing the DevOps pipeline will soon have a broader industry impact. Technologies and services associated with these trends have also started to mature, offering capabilities to secure digital businesses. Enterprise leaders, especially those managing security and risk, must become early adopters by securing their DevOps journey.

Somen Das is a cyber security solution architect at TCS. He is a subject matter expert on vulnerability management and application security solutions, with more than 15 years of industry experience. Somen specializes in large application security and vulnerability management programs. He has also been part of large application security transformation projects cutting across environments and technologies, including hybrid cloud.