DevSecOps: The Carrot and the Stick

The purpose and intent of DevSecOps is to build on the mindset that "everyone is responsible for security" with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required. In DevSecOps, two seemingly opposing goals —“speed of delivery” and “secure code”—are merged into one streamlined process.

DevSecOps aims to embed security in every part of the development process. It is about trying to automate core security tasks by embedding security controls and processes early in the DevOps workflow (rather than being bolted on at the end). For example, this could be the case when migrating to microservices, building out a CI/CD pipeline, compliance automation or simply testing cloud infrastructure.

Why DevSecOps is important

Security breaches and leaks are seemingly becoming more and more common place in the interconnected world of today. Spend five minutes googling "data+breach" and flick through the top stories listed – the chances are there’s been at least one incident reported today; another firm falling afoul of data security protocols and finding itself in hot water. Over the last few years, companies of all sizes have experienced major data leaks; from restaurant-discovery company, Zomato, to "pay-day" loan provider, Wonga, and even major international corporations including Yahoo and LinkedIn. And most worryingly, the size and scope of each new breach seem to outstrip the last.

Moreover, there are some distressing statistics to be found. According to Insurance Business Magazine, more than 31% of small businesses are unable to sustain their operations for more than a week after being hit by a cyber-attack. Compounding this, approximately 62% of all cyber-attacks target smaller businesses. For those startups looking to become the next Uber, it seems the odds may just be stacked against them, unless they’re one of the increasing number of organisations adopting a DevSecOps mindset.

Tools for Automating Security Testing

There are new tools that can be used to help achieve and automate it across the development lifecycle. Here are some of the types of tools that exist:

Cloud infrastructure best practices – Tools built into the cloud like AWS Trusted Advisor or Microsoft Azure Advisor or any third party tools like evident.io can help scan your configurations for security best practices.

Automate security tests – You can now create and run automated security tests just like you would unit tests or integration tests. Gauntlt is a popular free framework for automated these types of tests.

Code Analysis – Tools like Veracode can scan your code to find potential vulnerabilities in your own code and open source libraries.

Runtime application security – Tools like Contrast Security or Trend Micro run within your application in production and can help identify and prevent security issues in real time.

Hopefully, this gives you some ideas of the types of security testing and automation that can be built into your development process.