Put some Sec in your DevOps

DevOps is all the rage lately.  Applying Agile principles to Development and Operations has increased productivity and enabled IT teams to quickly introduce change.  A good DevOps process will include test automation and Continuous Integration (CI).  Software is consistently more reliable now.

So why aren’t applications more secure?  Generally, we hear customers say they know security is important but new functionality is more important.  There are not enough resources to focus on security.  There’s not enough time to build a framework to easily unit test security roles.  Security rules aren’t documented.  Etc.  The list goes on.  Regardless of the excuse, the real reason is there’s no focus on it.  The team hasn’t made it an integral part of the process.  Hence the new term “DevSecOps”.

Security must become part of a team’s culture to resolve what is primarily a people problem.  The first step is training.  People need to be aware of the issues and understand how they are expected to address them.  This should address the DevSecOps process, documentation guidelines and dev/test/deploy best practices.

Second, just as Ops became part of the code, Security must become part of the code.  The use of static analysis tools and security testing tools during the CI phase can uncover security issues earlier in the process.  Functional security testing validates that the security features you want are working as expected.

Third, leadership needs to make security a priority.  Make sure the team understands that new functionality isn’t ready until its secure.  Be sure to allocate enough resources so the team can do their job properly.