What is application security?
Application security has been defined by TechTarget as the use of software, hardware, and procedural methods to protect applications from external threats. Modern approaches include shifting left to find and fix vulnerabilities earlier, while also shifting right to protect your applications and their infrastructure-as-code in production. Securing the Software Development Life Cycle (SDLC) itself is often a requirement as well.
This approach of building security into your development and operational processes effectively turns your DevOps methodology into a DevSecOps methodology. An end-to-end DevSecOps platform can best enable this approach.
Why adopt DevSecOps?
Security has traditionally come at the end of the development lifecycle, adding cost and time when code is inevitably sent back to the developer for fixes. It is time to shift left by embracing security earlier within the DevOps lifecycle.
DevSecOps tools automate security workflows to create an adaptable process for your development and security teams, improving collaboration and breaking down silos. By embedding security into the SDLC, you can consistently secure fast- moving and iterative processes - improving efficiency without sacrificing quality.
DevSecOps weaves security practices into every stage of software development right through deployment with the use of tools and methods to protect and monitor live applications. New attack surfaces such as containers and orchestrators must be monitored and protected alongside the application itself.
If you've read the book that was the genesis for the DevOps movement, The Phoenix Project, you understand the importance of automation, consistency, metrics, and collaboration. For DevSecOps, you are essentially applying these techniques to outfit the software factory while embedding security capabilities along the way rather than in a separate, siloed process. Dev or security can find vulnerabilities, but a developer is usually required to remove such flaws. It makes sense to empower them to find and fix vulnerabilities while they are still working on the code. Scanning alone isn't enough. It's about getting the results to the right people, at the right time, with the right context for quick action.
Fundamental requirements include automation and collaboration, along with policy guardrails and visibility.
According to our 2019 Developer Survey, most developers test less than half of their code with automated application security methods. The code that is tested is most commonly reviewed with the following:
There is always more to be done when it comes to testing. It’s best to understand which tests work best for you (this can depend on app or software function, development processes, infrastructure, etc.), and incorporate those into your DevSecOps practice.
A single source of truth that reports vulnerabilities and remediation provides much-needed transparency to both development and security team. It can streamline cycles, eliminate friction, and remove unnecessary translation across tools.
Every enterprise has a different appetite for risk. Your security policies will reflect what is right for you while the regulatory requirements to which you must adhere will also influence the policies you must apply. Hand-in-hand with automation, guardrails can ensure consistent application of your security and compliance policies.
An end-to-end DevSecOps platform can give auditors a clear view into who changed what, where, when, and why from beginning to end of the software lifecyle. Leveraging a single-source-of-truth can also ensure earlier visibility into application risks.
Ready to see how GitLab can help you get started with DevSecOps?
Our DevSecOps Solution page has all of the details, along with a Free Trial offer for our Ultimate tier of capabilities.
Here is a list of resources on DevSecOps that we find to be particularly helpful. We would love to get your recommendations on books, blogs, videos, podcasts and other resources that offer valuable insight into best practices.
Please share your favorites with us by tweeting us @GitLab!