What is application security?
Application security has been defined by TechTarget as the use of software, hardware, and procedural methods to protect applications from external threats. This includes building security measures (called countermeasures) into applications, and also means building security into your development and operational processes: Effectively turning your DevOps methodology into a DevSecOps methodology.
Why adopt DevSecOps?
A number of cyberattacks dominated international headlines over the last decade and the annual breach count continues to rise, while web application and software vulnerabilities are the top two targets of external attacks. As applications have proliferated into every area of business (and life), a sense of urgency for security is paramount.
Security has traditionally come at the end of the development lifecycle, adding cost and time when code is inevitably sent back to the developer for fixes. It is time to shift left by incorporating security into the DevOps lifecycle - to operate in a DevSecOps model. Security should be a priority at every phase of software development, and every team member should feel empowered to contribute. This intentional and proactive style of security should continue through deployment with the use of tools and methods to protect and monitor live applications.
DevSecOps weaves security practices into every stage of software development. DevSecOps tools automate security workflows to create an adaptable process for your development and security teams, making it easy for both to work in sync and understand what the other is doing. It brings security to the speed of business, consistently securing fast moving and iterative processes - improving efficiency without sacrificing quality, and vice versa.
Time saved is important, but DevSecOps is also critical to improving the security posture of all of your software and apps. The first step to mastering DevSecOps fundamentals is integrating security into the earliest possible phases of your DevOps lifecycle. By including security as a standard requirement (rather than a bolt-on task at the end), your business becomes more resilient to external attacks, internal threats, and other unusual or unexpected behaviors within the software.
While DevSecOps is in the same family as DevOps, it does require a different mindset from your team. Shifting left can bring up the question: Who actually owns security?
Even with clear ownership, the mindset of responsibility may require a cultural change to get everyone on the same page - thinking about security. Bring the following ideas and actions to your team to ease the transition to DevSecOps:
- Educate developers on how to write secure code, and how doing so allows for secure functionality through future updates, ease of monitoring app behavior, and can help protect the app or software through potential infrastructure changes.
- Help developers understand how they are contributing to an overall business initiative: Their work is on the front line when it comes to protecting both the business and the customer. They have the power to substantially improve the cyberdefense of their business, which both reduces business liability and improves customer trust.
- To mitigate potential friction, make clear the division of tactical responsibilities between developers and security team members. Ensure everyone knows what they are responsible for and that they have the tools and resources to do it right.
- Encourage collaboration between dev and sec. Future of work predictions call for fluid project teams that bring together employees from across the business. Get ahead of this trend by breaking down some siloes now: Developers should feel welcome to ask for help from their security peers, and security should feel welcome to do the same.
A single source of truth that reports vulnerabilities and remediation provides much-needed transparency to all parties involved. Keeping development and security within the same tool will further streamline cycles and increase/speed up security adoption among developers. A single source of truth will also prove helpful past production and into deployment, by helping to monitor app and user behavior for suspicious activity.
In DevSecOps, testing can be applied to all phases of the life cycle. According to our 2019 Developer Survey, most developers test less than half of their code with application security methods. The code that is tested is most commonly reviewed with the following:
There is always more to be done when it comes to testing, but using every type of test is unrealistic for most teams. It’s best to understand which tests work best for you (this can depend on app or software function, development processes, infrastructure, etc.), and incorporate those into your DevSecOps practice.
Here’s a list of resources on DevSecOps that we find to be particularly helpful in understanding Agile and implementation. We would love to get your recommendations on books, blogs, videos, podcasts and other resources that tell a great Agile story or offer valuable insight on the definition or implementation of the practice.
Please share your favorites with us by tweeting us @GitLab!