Now that automation and artificial intelligence (AI) are enabling developers to create software and apps at scale, and at a faster pace than ever before, the question of security integration has become even more critical.
Australia’s data breach costs have jumped to AUD $3.82 million over the past five years. Yet, it seems that security remains a major hurdle for dev teams: our last DevSecOps research showed that 60% of Australian developers and IT decision makers don’t fully understand how security fits into DevSecOps.
The threat of real-world challenges and risks associated with late-stage security implementation means that dev team leaders need proven strategies and best practices to integrate security measures more seamlessly in the development lifecycle.
Intricacies of DevSecOps: embedding security needs a “shift left” approach
Contrary to common belief, vulnerable or outdated components, authentication issues or sophisticated phishing attacks creating vulnerabilities aren’t to blame for security issues.
Oftentimes, it is simply configuration errors that are the culprit: a staggering 80% or more of ransomware attacks can be traced to common configuration errors in software and devices.
Now, taking a stand-alone security approach isn’t fit for purpose here, it can actually really make things worse by slowing down the production process – i.e. if development teams go from development to QA to staging and only then insert a security review.
This type of approach pushes things downstream, which in turn greatly increases the cost, time and effort to address issues at the end of the development cycle rather than doing it earlier.
Shift-left security and compliance in DevOps involves checking for security issues earlier in the development process, allowing developers to identify coding issues and fix defects quicker before they become more difficult to manage.
What about scale?
The scale at which enterprises need to operate today is adding to the complexity of ensuring high levels of security throughout the development lifecycle.
Scale isn’t just about the number of physical devices or servers. Tech ecosystems can comprise multiple clouds and various device types that require support and span across multiple user and computer capacity locations.
A growing number of compliance and security standards also need to be assessed and managed, which can end up becoming a tall order for dev teams.
Three practical considerations effective DevSecOps and compliance
- The continuous compliance approach
This is about confirming the initial development configuration to help protect against drifts as the dev team moves forward. With this approach, the security of the software development life cycle (SDLC) can be elevated by constantly verifying whether configuration drift has been detected and remediated.
Continuous automation makes this possible at scale across Dev, Test and Prod environments.
- A place for both human and automation zones
While humans are responsible for developing the app or the software, automation is the best ally when it comes to performing routine actions, backed-up by a two-person rule which is a sensible code review process.
Setting up an automation zone can start with a series of actions, such as committing to some kind of code repository, and triggering an automation server to build it. Then, it begins deploying and pushing the changes through to the appropriate environment. The user is then partially removed from the process and will be notified if something goes wrong or if they must be involved in the approval process.
This combination of human-assisted automation reduces human errors and frees users to work on higher-level, more interesting work.
- Human-readable, machine-enforceable policies driving automation at scale
Achieving automation at scale extends the concept of infrastructure as code (IaC) to policy as code (PaC), moving from managing security and compliance rules with spreadsheets to defining the policies using human-readable code that is enforceable using machine automation.
In graduating to a policy-as-code approach, DevOps teams are not only performing automated configuration management, but they are also conducting automated continuous policy checks and remediation.
At the end of the day, it’s really all about bolstering security throughout the development lifecycle and doing it at scale. For DevOps leaders, the advantages of adopting a best practice approach for handling security earlier in the DevOps process are clear.
By embedding security in the DevOps process, as well as using the right technology framework based on shifting left practices, organisations can promote innovation and maximise security efforts.
This article is written by Mark Troester, Vice President of Strategy, Progress
The insight is published as part of UPTECH MEDIA’s thought leadership piece, written within its repository of contributor articles.
UPTECH MEDIA welcomes partner article contributions about the latest technology trends in the Asia-Pacific region. For inquiries and submissions, please send them to [email protected].