The first 3 steps to take on your DevSecOps journey
DevSecOps is all about increasing security awareness and controls throughout the software delivery lifecycle. This is also known as ‘shifting left’ security. In a traditional software development world where security is an afterthought, DevSecOps aims to move security as early on in the development cycle as possible. Here are the first three steps to take on your DevSecOps journey.
First: Implement software supply chain management
We believe that software supply chain attacks, even though being actively conducted as we speak, are going to increase dramatically in the future. Therefore the first item on your list is increasing visibility and control of vulnerabilities in your software supply chain.
Concentrate on getting three things right here: have an ability to respond timely when new vulnerabilities arise, have an ability to detect where vulnerable components are being used, and finally, have an ability to block vulnerable components in your dependency tree. Various tools exist to automate this process for you.
Second: Implement static code analysis for your infrastructure
One of the major sources of security risk is misconfiguration of cloud infrastructure. To enable auditability of your infrastructure, you should already be doing Infrastructure as Code with a tool such as Terraform.
The next step is to implement static code analysis to detect when potentially insecure infrastructure configuration is being deployed. With Terraform, we’ve had good experiences implementing static code security analysis with Checkov.
Third: Increase security awareness with simulations and game days
Arguably the largest security risk is still the user - or in the case of a software development lifecycle, the people running it. Therefore it makes sense to ensure everyone in the team has a level of security awareness and critical security-focussed thinking when designing and implementing changes and new features to your applications.
Implementing mandatory security training is one avenue, but we’ve found that simulations and game days are a much more engaging way of increasing security awareness. This is especially true for organisations with an established InfoSec function, where more informal security training can provide a much needed way for building relationships between InfoSec and development teams.
We’ve found that running security simulations and game days quarterly - concentrating on any new functionality released or due to be released - tends to have a great impact on the security awareness of software delivery teams.
