Choosing between speed and security leaves some development teams walking a fine line between order and chaos. Even in DevOps, if your security practices are still largely manual, teams often choose to release apps before they’re fully secured, rather than waiting for the security team to address critical vulnerabilities.
But what if I told you that you don’t need to choose? Pull your security team, tests and practices to the beginning of the SDLC, and embed them throughout to reduce time to launch – and launch a secure product.
Six ways to bring security up to speed
1. Make small, frequent changes
Produce code in small chunks or units, and then run automated tests on those units as they’re committed, so the developers can remediate any vulnerabilities on the spot – rather than waiting for feedback days, weeks, or even months later. Running regular tests saves time down the road, when the completed app is tested before launch.
2. Educate developers and security teams
Adopt or create an educational program that teaches developers to recognize common vulnerabilities and remediate on their own. Security professionals should also be educated on application development and emerging technology, so they can understand developers’ work and ensure their organization isn’t overlooking any major vulnerabilities.
3. Fail fast, fix fast
Failing fast is a critical component of the DevOps mindset – and should be applied to developers’ security practices as well. If the automated scans reveal vulnerabilities, developers should be encouraged to take remediation into their own hands, both as a form of self-education, and to keep the SDLC moving quickly.
4. Prioritize risks
Risks will take different levels of priority within a single app, or across all of an organization’s apps. DevOps and security teams should work together to establish security guidelines that allow teams to prioritize which risks to address immediately, and which may not need remediation in the short term. Joe Coletta of IBM brings up an important distinction: Flaws should be assessed not only by level of severity, but also by likelihood of exploitation by an attacker.
5. Automate as much as possible
Manual security processes cannot keep up – point blank. There are too many new technologies, deployments, and access requests for security teams to manually handle everything. Tests should be pre-written and policies pre-defined so that they’re addressed automatically within the development pipeline. Automation also allows developers to focus on business demands – getting the app out quickly – while reducing the chance for human error.
6. More is better
Testing more frequently is always better, if it can be done efficiently. In rapid development, teams push small changes continuously, which also means they’re able to find vulnerabilities more easily, and push small fixes continuously. As Forrester Research Director Amy DeMartine has stated, any changes that developers make [using these methods] will only affect their small piece of code, without any ramifications on the rest. Ultimately, this increases quality.
Like always, communication is key
Above all, your security and DevOps teams must be on the same page: A cross-team security mindset requires a strong commitment to communication and transparency. Leaders should encourage members of both teams take initiative to understand the other team’s goals and intent, and why these goals are important to both the business and customer. Teams at every business should focus on building a security-first mindset, as today’s expanding attack surfaces provide opportunity for exploitation at every level. Lastly, make it easy (or as easy as it can be). Integrated tools, or a single tool for the entire lifecycle (such as GitLab) will bring transparency to all sides of the operation and allow for seamless interactions, change logging, and efficiency.
Cover image by Christian Englmeier on Unsplash