DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • Calendar View
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • Calendar View
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • CI/CD
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Sustainability
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • What’s Hot in DevOps | Predict 2023
  • Supercharging Ansible Automation With AI
  • Coming Soon: AutoOps
  • Atlassian Advances DevSecOps via Jira Integrations
  • PagerDuty Signals Commitment to Adding Generative AI Capabilities

Home » Blogs » DevSecOps » Build security into your app development

Build security into your app development

Avatar photoBy: contributor on November 17, 2014 1 Comment

Integrate security testing into your dev process now or else face cyber-attacks later

Recent Posts By contributor
  • How to Ensure DevOps Success in a Distributed Network Environment
  • Dissecting the Role of QA Engineers and Developers in Functional Testing
  • DevOps Primer: Using Vagrant with AWS
Avatar photo More from contributor
Related Posts
  • Build security into your app development
  • Minimum Viable App Doesn’t Mean Minimum Security
  • Service Virtualization – Window into “Advanced” DevOps
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • app dev
  • appsec
  • data security
Show more
Show less

The way we develop software has been radically transformed in the last few years. Agility and speed are vital components for any company that wants to compete in the market. In order to achieve that it has proven necessary to break down barriers. The idea of separate silos with developers, operations, testers, and management working in isolation, sometimes even in opposition, is dated and flawed.

We’ve accepted the logic of bringing development and operations together with the DevOps movement. The recognition that testing is required earlier in the process has come. Now it’s time to apply the same logic to security. It’s time to bring InfoSec into the fold.

Cloud Native NowSponsorships Available

The security threat

Trends like cloud computing, big data, SaaS, and the BYOD end of the mobile revolution have created new opportunities for increased efficiency and productivity, but they also represent unique challenges for security. Sensitive data, financial information, and intellectual property are all exposed to risk when security is a secondary concern.

The issues that splashed back from the waterfall model for testing apply to security as well. Only passing applications through the QA process at the end of production, when time pressures to release were the greatest and it was too late to make significant changes, resulted in fixes being more expensive and software quality suffered.

If we don’t integrate security testing into the development process and make it part of the software development lifecycle now, then we run the risk of encountering exactly the same problem. We waste time retro-fitting functionality that should have been there in the first place, and we all know the pain of securing a hybrid system with legacy software that wasn’t designed with modern security threats in mind.

How to address security in software development

Automation for testing has enabled developers to move towards a continuous delivery system where new features can be rolled into live software as they are created. How do we ensure that security is maintained?

  • Secure programming education is required to make sure developers are limiting and testing inputs, storing minimum data and encrypting, compartmentalizing the system, questioning requirements that may introduce security risks for little gain, limiting privileges, and analyzing and auditing the code.
  • IAST (Interactive Application Security Testing) allows you to combine elements of static and dynamic techniques to run automated tests continuously on the software under development and see how it copes with malicious traffic. Since IAST monitors data inside the application it can pinpoint issues that might arise from real-world attacks, enable a useful assessment of the impact, and make it easier to remediate.
  • Security analysts are needed to properly configure your tools and interpret the results. You can buy the best security tools in the world, but you have to know how to leverage them and act on the data. An external analysis can provide real insights that will boost application security.
  • OWASP (The Open Web Application Security Project) is a great community where you can find innovative solutions to modern software security challenges. It can help you understand secure development standards and it’s packed with invaluable resources and advice from experts around the globe.

Bringing InfoSec on-board from the outset will help you build security considerations like this into your development pipeline. It will save time and money in the long term.

Ongoing research and modelling

It’s important to model potential threats and test for them, but you must be aware that new threats evolve and emerge all the time. Dedicated InfoSec employees will continually research and explore the new trends and risks in the security industry. Opening a direct line between DevOps and InfoSec enables them to pass along that wisdom and fold it into the mix when it’s relatively cheap and easy to do.

The security testing in your development pipeline is no more static than any other element. It has to be continually reviewed and modernized to ensure it continues to deliver results. Continuous real-time monitoring will deliver the oversight you need.

Building for the future

There’s no question that cyber-attacks will come, but if you prepare properly you can detect and nullify them with minimal effort. When considering the investment now, you must factor in the cost of lost confidence, post-mortem forensic investigation, and significant redevelopment to close any gaps in your defenses in the event of a future breach.

Once you have built solid foundations for security in your application development they will benefit every project going forward. Taking a long term view makes financial sense and results in better quality software.


 

About the Author

MichelleDrolet_BlackcropMichelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA with clients such as Smith & Wesson, Middlesex Savings Bank, Brown University and SMBs.  You may reach her at [email protected].

 

Filed Under: Blogs, DevSecOps Tagged With: app dev, appsec, data security

« How the Heck do you Jumpstart DevOps culture?
USENIX LISA 2014 – DevOps grows in the enterprise »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Maximize IT Operations Observability with IBM i Within Splunk
Wednesday, June 7, 2023 - 1:00 pm EDT
Secure Your Container Workloads in Build-Time with Snyk and AWS
Wednesday, June 7, 2023 - 3:00 pm EDT
ActiveState Workshop: Building Secure and Reproducible Open Source Runtimes
Thursday, June 8, 2023 - 1:00 pm EDT

GET THE TOP STORIES OF THE WEEK

Sponsored Content

PlatformCon 2023: This Year’s Hottest Platform Engineering Event

May 30, 2023 | Karolina Junčytė

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Latest from DevOps.com

Supercharging Ansible Automation With AI
June 7, 2023 | Saqib Jan
Coming Soon: AutoOps
June 7, 2023 | Don Macvittie
Atlassian Advances DevSecOps via Jira Integrations
June 6, 2023 | Mike Vizard
PagerDuty Signals Commitment to Adding Generative AI Capabilities
June 6, 2023 | Mike Vizard
Mastering DevOps Automation for Modern Software Delivery
June 6, 2023 | Krishna R.

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

Most Read on DevOps.com

No, Dev Jobs Aren’t Dead: AI Means ‘Everyone’s a Programmer’? ¦ Interesting Intel VPUs
June 1, 2023 | Richi Jennings
Revolutionizing the Nine Pillars of DevOps With AI-Engineered Tools
June 2, 2023 | Marc Hornbeek
Checkmarx Brings Generative AI to SAST and IaC Security Tools
May 31, 2023 | Mike Vizard
Friend or Foe? ChatGPT’s Impact on Open Source Software
June 2, 2023 | Javier Perez
Cloud Drift Detection With Policy-as-Code
June 1, 2023 | Joydip Kanjilal
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.