Contrary to popular belief, rapid application distribution is not incompatible with security. As many organizations adopt cloud-deployed infrastructure and services, security remains a top priority as the continuous integration/continuous delivery (CI/CD) flow represents a particularly attractive target for threat actors.
It is no longer enough to search for security vulnerabilities in applications after they go live. A Shift-Left approach to security should start the moment the DevOps team begins developing an application and begins provisioning infrastructure. In this way, vulnerabilities can be addressed before their resolution becomes too cumbersome and too expensive. This is the basic principle of DevSecOps.
By moving security upstream—or “shift-left,” organizations can identify misconfigurations and certain security risks before users are affected. Given the role cloud plays in implementing the DevOps approach, protection of cloud environments and workloads is bound to grow in scope to ensure protection of the CI/CD pipeline, applications and, ultimately, customers.
So what are the five key security steps DevOps teams need to consider as part of a Shift-Left approach?
1. Communicate with the Security team to better collaborate
The Shift-Left approach constitutes a cultural change. In addition to having the necessary processes and tools in place, companies need to rethink the way they operate to integrate their software testing processes, tools, and expertise earlier in the CI/CD flow. The DevSecOps approach is not just about shifting security responsibilities to developers: it is also changing roles and expectations, in combination with the right tools, to achieve an optimum level of balance in development and security. . In other words, security must be considered a priority from the outset, and cease to be an afterthought, added at the end of the software development life cycle (SDLC).
2. Perform regular self-tests
The Shift-Left approach requires the execution of early and frequent tests. By automating code testing, developers are regularly notified of any security issues, allowing them to fix them long before the software goes into production. Automated tools that scan for vulnerabilities minimize the risk of human error that can occur during manual testing, and extend the scope of software verification. Code is analyzed incrementally, so there is not much left to test at the end of the software development cycle.
A Shift-Left strategy involves integrating one or more tools into the CI/CD pipeline to locate known vulnerabilities and identify other potential issues. The most commonly used tools are: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Secret Discovery, and Software Composition Analysis (SCA). The first step is to assess the tools available before integrating new ones into the process.
3. Integrate penetration testing into the process
While automated testing is an essential ingredient of the DevSecOps approach, the automation itself can overlook some potential issues. A manual security assessment, for example in the form of penetration testing, verifies the security level of an application by bombarding it with attacks. This additional test minimizes the risk and can sometimes detect problems that an automatic test may not detect. Before initiating the protection process, having a security engineer review the software and run a penetration test helps ensure that all potential issues are minimized. Two precautions are better than one and in this regard, further testing will avoid uncovering a vulnerability after a hacker has exploited it.
4. Don’t forget to update the software!
Regularly updating software is a pillar of cybersecurity. Developers should ensure that all their programs — operating system, application framework, third-party libraries — are on the latest version to ensure that all security patches are up-to-date. Whether performed on the publisher’s site or with the open source community, downloading updates is a major measure for application security.
5. Explore security training opportunities
While not security experts, developers play a vital role in building secure applications and as such, they must master the basics of secure coding and testing. As the demand for software grows, they should consider getting security training tailored to their specific role and needs. Proper training and support can provide the basic information needed to write code that is both functional and secure.
When it comes to software security, there is no silver bullet to ensure that code is secure and will remain so. By adopting these practices, companies can only increase the chances of detecting software vulnerabilities and correcting them before the code is deployed.