Automating security controls into any workflow has traditionally been seen as a challenging task for many organizations. Security continues to be an afterthought in many development pipelines and is still thought of as a hindrance, or a blocker to producing software at a rapid pace. With DevOps-native workflows, we have an unprecedented opportunity to apply security guidance sooner in our application lifecycles and closer to the individuals who can remediate vulnerabilities the quickest.
One of the challenges for all of us as we automate security controls into our SDLCs is to ensure our product “conveyor belts” continue to operate with the same efficiency, as if we had no security integration at all. Business needs require software to be developed and shipped in a timely fashion. Developers want to code the software in the most optimal way possible. The Operations team wants the application to be highly available and stable. And the Security team wants it to have no vulnerabilities and low risk to the organization. This isn’t a situation where having one team succeeding means another has to falter – rather it’s a perfect ecosystem for collaboration. Security is the responsibility of every individual in an organization and should never supersede the object being delivered. It should be an attribute.
From a security point of view, when we look for places to inject security controls into our workflows in an automated fashion, we need to identify ways to observe and collect data in both a passive and an active way. Passive ways of producing data could include methods to calculate defect density for a collection of code after a static code analysis has been performed, or to calculate the risk ranking for a codebase based on code smell - whereas an active way of producing data may be the action of pausing the release pipeline to perform a vulnerability scan itself. Active collection is where we need to be the most careful when we integrate automated tools into our pipeline.
When you are generating data in an active way, you can potentially be a bottleneck in your release pipeline. When we look at the results of the survey data for companies with more than 500 developers we see slightly more responses agree that integrating security controls in an automated fashion is somewhat difficult. It’s possible within the next year the industry could tip the scales as we discover innovative ways of automating security tools into our workflows. If we focus on shortening the time required for security related active data collection to take place we can ensure we are not interrupting the feature pipeline. We can accomplish this by ensuring vulnerability scanning happens as early as possible in the lifecycle, that we are splitting our code bases into manageable and sensible pieces, and by treating any security vulnerability in the same fashion as we do a bug or a feature. Look into incremental scanning to increase performance during gated checkins of your code bases, and full scans that run in parallel to and out of band of your pipeline.
DevOps-native workflows widely vary from organization to organization so when integrating your security toolsets, ensure you align your security related goals with the goals of your fellow team members. Don’t be a blocker, be a security enabler. Secure your code and processes, and above all keep on shipping.
Want to learn more about DevSecOps?
This blog is one of seven in a series providing expert commentary and analysis on the results from Sonatype’s 2017 DevSecOps Community Survey. For access to all of the blogs in this series and the survey report, please visit: www.Sonatype.com/2017survey.
DJ Schleen (@dschleen) is DevSecOps Evangelist in the healthcare industry, and is a guest blogger for Sonatype's 2017 DevSecOps Community Survey.