This is the fifth in our five-part series on DevSecOps basics. Part one offers nine tips to truly shift left. Part two outlines the steps needed to create silo-free collaboration. Part three looks at the importance of automated security testing. And part four details how to create a strong security culture.
Standardizing security policies comes in a variety of forms: regulatory compliance, access controls, acceptable use policies, security as code, and automation, to name a few. Ultimately, the idea is that your security team knows exactly what policies and methods have been used or applied to each project.
The goals of standardization are consistency, traceability, and repeatability. By consistently using the same security methods across all work, security knows what has been protected and what hasn’t. This helps them apply additional measures where necessary, and makes them aware of any needed exceptions. Ensuring that security methods are repeatable helps to expand adoption and scale security to the entire organization or enterprise.
Building a standardized security program
A holistic security program should be composed of different levels of policies and compliance. Some policies should be company-wide, such as an acceptable use policy, some will fulfill regulations like the GDPR or CCPA, and some will be specific to certain organizations within your business.
Standardizing security in DevOps
DevSecOps can be executed sustainably at scale with standardized security practices. Here are five ways to standardize security across all of your development projects.
Provide security training and education to every employee. Companywide security initiatives help to build a security culture and empower employees to take responsibility for security in their own work. Standardized training also spreads awareness of mandatory policies and alerts employees to the actions taken to both secure day-to-day operations and protect their customers.
Coordinate a predefined set of security requirements among dev, sec, and ops that can be coded into your pipeline and applied to every project. These can ensure regulatory compliance, foster secure coding practices, trigger red flags or notifications, and educate employees on security best practices.
Access controls are a critical component of any security framework, and should be continually monitored and evaluated. By keeping close tabs on who needs access to what, you’re able to build a solid wall around your most critical processes and assets. This eliminates unnecessary access to sensitive data, and helps streamline tracing, recovery, and remediation efforts when something goes wrong. Access control policies also help defend your business by enhancing authentication requirements.
Embed scan and test tools within your development pipeline. Static and dynamic application security testing (SAST and DAST, respectively) can be set to run at every code commit and in the review app. Other tools and tests include IAST, fuzzing, licence compliance, container scanning, and dependency scanning (among others). Embedding tools directly into the pipeline allows you to know exactly what the code has been evaluated for, and also what the code has not been checked for.
In DevSecOps, automation is the true key to standardized security practices as it allows for fast, secure development at scale. There are a number of ways to automate security within and around your development pipeline – the trick is to find an appropriate balance between automation and manual intervention. Automated policies should serve as guardrails that guide development smoothly from one security check to the next, but they should also allow for exceptions when needed. These guardrails should automatically generate reports from code scans and consolidate them into a security dashboard for review. This helps to minimize human error and any false positives or negatives, allows for consistent vulnerability reporting, and can be used to measure a team’s performance against secure coding expectations. Automation also helps to prevent overly complex security programs by reducing ad-hoc policies and redundant work.
The best security programs will change
Security will never be a set-it-and-forget-it practice. The threat landscape is constantly changing, external regulations will continue to evolve, and internal business requirements will always keep you on your toes. While setting standards for security will help your team manage the workload, these standards need to be constantly re-evaluated and updated. Outdated security practices will undermine even the most solid programs, so it’s important to use part of the time saved from standardizing and automating to plan for the future.
How efficient are your DevSecOps practices? Take our DevSecOps Maturity Assessment to find out.
Learn more about DevSecOps:
- Case Study: How Jasper Solutions offers “DevSecOps in a box” with GitLab”
- How to capitalize on GitLab Security tools with external CI
- How to overcome toolchain security challenges with GitLab
Cover image by Andrew Ridley on Unsplash
“Need to scale security? Standardization will get you to functional DevSecOps. Find out more in @gitlab's DevSecOps Basics series” – Vanessa Wegner
Click to tweet