5 Security Tasks DevOps Teams Should Consider When Shifting Left
Speedy delivery of applications is not the enemy of security, although it can seem that way. As businesses continue to adopt cloud services and infrastructure, forgetting to keep security top of mind is not an option — especially since the continuous integration/continuous delivery (CI/CD) pipeline represents an attractive target for threat actors.
It is not enough to only scan applications for security flaws after they are live. A shift-left approach to security should start at the exact moment that DevOps teams begin developing the application and provisioning infrastructure so that vulnerabilities can be addressed before they become bigger and more expensive to fix. This is the core tenet of DevSecOps.
By shifting security left, organizations can identify misconfigurations and other security risks before they impact users. Given the role that cloud computing plays in enabling DevOps, protecting cloud environments and workloads will only take on a larger role in defending the CI/CD pipeline, your applications and, ultimately, your customers.
Below are five key security tasks DevOps teams should consider as their organization shifts left.
1. Connect and collaborate with your security team: Shift left is a cultural change. In addition to putting the proper processes and tools in place, organizations must rethink the way they operate to bring software-testing processes, tools and expertise earlier in the CI/CD pipeline. DevSecOps isn’t simply about pushing security responsibilities onto developers, but about changing roles and expectations, combined with the right tools, to achieve a balance in secure development. Security should be a priority from the start — not an afterthought tacked on to the end of the SDLC.
2. Implement frequent automated testing: Shifting left requires testing early and often. With automated code testing, developers are alerted to security issues as they are working so they can correct issues long before software goes to production. Automated tools that scan for vulnerabilities reduce the chances of human error that may occur in a manual test and expand coverage to check more of the software. The code is scanned incrementally so testers aren’t left with a lot to review at the end of the SDLC.
A shift-left strategy will involve bringing one or more tools into the CI/CD pipeline to look for known vulnerabilities and identify other issues. There are many tools to choose from — commonly used tools include Static Application System Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), Secret Detection and Software Composition Analysis (SCA). You should first assess the tools you have before deciding which new tools to bring into your processes.
3. Bring penetration testing (pentesting) into the process: While automated testing is a must-have in DevSecOps, automation alone may still leave potential issues undetected. A manual security evaluation, such as a penetration test, checks the security of an application by simulating cyberattacks against it. This additional testing minimizes the risk and may catch issues that an automated test wouldn’t. Before you commit to protection, bring in a security engineer to review the software and conduct a penetration test to ensure all potential issues are mitigated. It’s better to cover all your bases and do the extra testing than learn about a vulnerability after an attacker exploits it.
4. Keep your software current: Working with up-to-date software is a core tenet of cybersecurity. Developers must be careful to keep all their software — operating system, application framework and third-party libraries — updated to the latest versions to ensure all security patches are current. Whether they come from a vendor or the open source community, downloading software updates is among the most important steps you can take toward stronger application security.
5. Explore opportunities for security training: Developers aren’t security experts, but they have a critical role in the production of secure applications and should know the basics of secure coding and testing. As the demand for software grows, developers should consider security training tailored to their specific role and needs. Proper training and support can give you the background information needed to produce code that is both functional and secure.
When it comes to software security, there is no silver bullet to ensure your code is secure and stays secure. By adopting these practices, you can increase the likelihood that software flaws are found and patched before code is deployed.