What is application security?

Application security has been defined by TechTarget as the use of software, hardware, and procedural methods to protect applications from external threats. Modern approaches include shifting left to find and fix vulnerabilities earlier, while also shifting right to protect your applications and their infrastructure-as-code in production. Securing the Software Development Life Cycle (SDLC) itself is often a requirement as well.

This approach of building security into your development and operational processes effectively turns your DevOps methodology into a DevSecOps methodology. An end-to-end DevSecOps platform can best enable this approach.

Why adopt DevSecOps?

Security has traditionally come at the end of the development lifecycle, adding cost and time when code is inevitably sent back to the developer for fixes. It is time to shift left by embracing security earlier within the DevOps lifecycle.

Cost savings to shift left

DevSecOps tools automate security workflows to create an adaptable process for your development and security teams, improving collaboration and breaking down silos. By embedding security into the SDLC, you can consistently secure fast- moving and iterative processes - improving efficiency without sacrificing quality.

DevSecOps weaves security practices into every stage of software development right through deployment with the use of tools and methods to protect and monitor live applications. New attack surfaces such as containers and orchestrators must be monitored and protected alongside the application itself.

Manage your toolchain before it manages you

Visible, secure, and effective toolchains are difficult to come by due to the increasing number of tools teams use, and it’s placing strain on everyone involved. This study dives into the challenges, potential solutions, and key recommendations to manage this evolving complexity.

DevSecOps fundamentals

If you've read the book that was the genesis for the DevOps movement, The Phoenix Project, you understand the importance of automation, consistency, metrics, and collaboration. For DevSecOps, you are essentially applying these techniques to outfit the software factory while embedding security capabilities along the way rather than in a separate, siloed process. Dev or security can find vulnerabilities, but a developer is usually required to remove such flaws. It makes sense to empower them to find and fix vulnerabilities while they are still working on the code. Scanning alone isn't enough. It's about getting the results to the right people, at the right time, with the right context for quick action.

Fundamental requirements include automation and collaboration, along with policy guardrails and visibility.

Automation

According to our 2019 Developer Survey, most developers test less than half of their code with automated application security methods. The code that is tested is most commonly reviewed with the following:

Application security survey graph

There is always more to be done when it comes to testing. It’s best to understand which tests work best for you (this can depend on app or software function, development processes, infrastructure, etc.), and incorporate those into your DevSecOps practice.

Collaboration

A single source of truth that reports vulnerabilities and remediation provides much-needed transparency to both development and security team. It can streamline cycles, eliminate friction, and remove unnecessary translation across tools.

Policy guardrails

Every enterprise has a different appetite for risk. Your security policies will reflect what is right for you while the regulatory requirements to which you must adhere will also influence the policies you must apply. Hand-in-hand with automation, guardrails can ensure consistent application of your security and compliance policies.

Visibility

An end-to-end DevSecOps platform can give auditors a clear view into who changed what, where, when, and why from beginning to end of the software lifecyle. Leveraging a single-source-of-truth can also ensure earlier visibility into application risks.

Getting started

Ready to see how GitLab can help you get started with DevSecOps?

Our DevSecOps Solution page has all of the details, along with a Free Trial offer for our Ultimate tier of capabilities.

Assess your DevSecOps maturity

We have developed a simple assessment that uses twenty questions to help you determine where you excel and areas for improvement. A helpful guide suggests steps to get you started.

Resources

Here is a list of resources on DevSecOps that we find to be particularly helpful. We would love to get your recommendations on books, blogs, videos, podcasts and other resources that offer valuable insight into best practices.

Please share your favorites with us by tweeting us @GitLab!

Feature thumb workflow

Why you need static and dynamic application security testing in your development workflows

Bolster your code quality with static and dynamic application security testing.

Read
Feature thumb 4 ways developers secure

4 Ways developers can write secure code with GitLab

GitLab Secure is not just for your security team - it’s for developers too.

Read
Feature thumb 5 security testing principles

5 Security testing principles every developer should know

Developers are looking for guidance and standard practices as they take on more security testing responsibilities.

Read

Try GitLab for free

Get unlimited access to all of GitLab's features for 30 days.

Get free trial