Blog Insights DevSecOps basics: 5 steps to standardize (and then scale) security
Published on: July 20, 2020
4 min read

DevSecOps basics: 5 steps to standardize (and then scale) security

DevSecOps is incomplete without speed and scale. Standardize security to make it happen.

devsecops-security-standardization.jpg

This is the fifth in our five-part series on DevSecOps basics. Part one offers nine tips to truly shift left. Part two outlines the steps needed to create silo-free collaboration. Part three looks at the importance of automated security testing. And part four details how to create a strong security culture.

Standardizing security policies comes in a variety of forms: regulatory compliance, access controls, acceptable use policies, security as code, and automation, to name a few. Ultimately, the idea is that your security team knows exactly what policies and methods have been used or applied to each project.

The goals of standardization are consistency, traceability, and repeatability. By consistently using the same security methods across all work, security knows what has been protected and what hasn’t. This helps them apply additional measures where necessary, and makes them aware of any needed exceptions. Ensuring that security methods are repeatable helps to expand adoption and scale security to the entire organization or enterprise.

Building a standardized security program

A holistic security program should be composed of different levels of policies and compliance. Some policies should be company-wide, such as an acceptable use policy, some will fulfill regulations like the GDPR or CCPA, and some will be specific to certain organizations within your business.

Standardizing security in DevOps

DevSecOps can be executed sustainably at scale with standardized security practices. Here are five ways to standardize security across all of your development projects.

Educate

Provide security training and education to every employee. Companywide security initiatives help to build a security culture and empower employees to take responsibility for security in their own work. Standardized training also spreads awareness of mandatory policies and alerts employees to the actions taken to both secure day-to-day operations and protect their customers.

Coordinate

Coordinate a predefined set of security requirements among dev, sec, and ops that can be coded into your pipeline and applied to every project. These can ensure regulatory compliance, foster secure coding practices, trigger red flags or notifications, and educate employees on security best practices.

Authenticate

Access controls are a critical component of any security framework, and should be continually monitored and evaluated. By keeping close tabs on who needs access to what, you’re able to build a solid wall around your most critical processes and assets. This eliminates unnecessary access to sensitive data, and helps streamline tracing, recovery, and remediation efforts when something goes wrong. Access control policies also help defend your business by enhancing authentication requirements.

Integrate

Embed scan and test tools within your development pipeline. Static and dynamic application security testing (SAST and DAST, respectively) can be set to run at every code commit and in the review app. Other tools and tests include IAST, fuzzing, licence compliance, container scanning, and dependency scanning (among others). Embedding tools directly into the pipeline allows you to know exactly what the code has been evaluated for, and also what the code has not been checked for.

Automate

In DevSecOps, automation is the true key to standardized security practices as it allows for fast, secure development at scale. There are a number of ways to automate security within and around your development pipeline – the trick is to find an appropriate balance between automation and manual intervention. Automated policies should serve as guardrails that guide development smoothly from one security check to the next, but they should also allow for exceptions when needed. These guardrails should automatically generate reports from code scans and consolidate them into a security dashboard for review. This helps to minimize human error and any false positives or negatives, allows for consistent vulnerability reporting, and can be used to measure a team’s performance against secure coding expectations. Automation also helps to prevent overly complex security programs by reducing ad-hoc policies and redundant work.

The best security programs will change

Security will never be a set-it-and-forget-it practice. The threat landscape is constantly changing, external regulations will continue to evolve, and internal business requirements will always keep you on your toes. While setting standards for security will help your team manage the workload, these standards need to be constantly re-evaluated and updated. Outdated security practices will undermine even the most solid programs, so it’s important to use part of the time saved from standardizing and automating to plan for the future.

How efficient are your DevSecOps practices? Take our DevSecOps Maturity Assessment to find out.

Learn more about DevSecOps:

Cover image by Andrew Ridley on Unsplash

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert