Automating security controls into any workflow has traditionally been seen as a challenging task for many organizations. Security remains an afterthought in many development pipelines and is still considered a hindrance, or blocker, to producing software at a rapid pace. With DevOps-native workflows, we have an unprecedented opportunity to apply security guidance sooner in our application life cycles and closer to the individuals who can remediate vulnerabilities the quickest.
One of the challenges for us all as we automate security controls into our SDLCs is to ensure that our product "conveyor belts" continue to operate with the same efficiency, as if we had no security integration at all. Business needs require software to be developed and shipped in a timely fashion. Developers want to code the software in the most optimal way possible. The Operations team wants the application to be highly available and stable. And the Security team wants it to have no vulnerabilities and low risk to the organization. This isn't a situation where having one team succeed means another has to falter – rather, it's a perfect ecosystem for collaboration. Security is the responsibility of every individual in an organization and should never supersede the object being delivered. It should be an attribute.
From a security perspective, when we look for places to inject security controls into our workflows in an automated fashion, we need to identify ways to observe and collect data in both a passive and active way. Passive ways of producing data could include methods to calculate defect density for a collection of code after a static code analysis, or to calculate the risk ranking for a codebase based on code smell. An active way of producing data may be to pause the release pipeline to perform a vulnerability scan itself. Active collection is where we need to be the most careful when we integrate automated tools into our pipeline.
When you generate data actively, you can potentially be a bottleneck in your release pipeline. When we look at the results of the survey data for companies with more than 500 developers, we see slightly more responses agree that integrating security controls in an automated fashion is somewhat difficult. It's possible that the industry could tip the scales in the next year, as we discover innovative ways to automate security tools into our workflows. If we focus on shortening the time required for security related active data collection, we can ensure we are not interrupting the feature pipeline. We can accomplish this by ensuring vulnerability scanning happens as early as possible in the life cycle, by splitting our code bases into manageable and sensible pieces, and by treating any security vulnerability in the same fashion as a bug or feature. Look into incremental scanning to increase performance during gated check-ins of your code bases, and full scans that run parallel to and out of the band of your pipeline.
DevOps-native workflows vary widely from organization to organization. Therefore, when integrating your security toolsets, ensure you align your security related goals with the goals of your fellow team members. Don't be a blocker, be a security enabler. Secure your code and processes, and above all keep on shipping.
Want to Learn More about DevSecOps?
This blog is one of seven in a series, providing expert commentary and analysis on the results from Sonatype's 2017 DevSecOps Community Survey. For access to all the blogs in this series and the survey report, please visit: www.Sonatype.com/2017survey.
DJ Schleen is DevSecOps Evangelist in the healthcare industry, and is a guest blogger for Sonatype's 2017 DevSecOps Community Survey.
Tags
Code 3x Faster with Less False Positives
Build, test, and launch secure applications without rework. Explore how the Sonatype platform can enhance productivity and security.