Enterprise security and DevOps teams have traditionally operated separately with little to no engagement, often making it difficult to quickly identify and respond to potential vulnerabilities in applications and software. In my last column, I highlighted the value of introducing security to the DevOps process to reduce bugs and vulnerabilities before code hits production. By moving security as close as possible to the code and data, coupled with tight feedback loops, organizations will be in a better position to support the growing complexity of building software.
DevOps emphasizes an agile infrastructure that can change rapidly as new code is deployed, making it a breeding ground for bugs and vulnerabilities when security isn’t taken into consideration. So how do you close the DevOpsSec gap within your organization? The secret is to start simple, take small steps and earn easy wins. Below are five tips:
- Build a development team that cares about its code in production. Your developers must care about their code during development when they’re writing it, when adding new features, how it performs in production and when they create fixes for issues. The team should have complete ownership of the code, what I like to call “code love,” and be able to defend it as if it were their child.
- Implement peer code reviews. The initial way to encourage “code love” is through peer code reviews, which allow developers see what others are writing, encourages them to work together and fosters discussions among the team on how to improve processes. Additionally, with these review processes, teams will be able to identify bad practices early on and improve them.
- Introduce a test-driven development environment. Test-driven development environments mean reproducible testing and can then leverage a continuous integration (CI) server to encourage the team to run security tests every time code is submitted. Many organizations inconsistently do this, don’t do it well or bypass this step entirely. By having developers do more testing and reviews, you can more tightly integrate DevOps and security within the organization.
- Extend the automation. Once establishing the above, it’s time to extend the automation. Encourage your team to do code style and quality testing, which are additional tools to automate “code love”. Good clean code that is easy to read will always have fewer bugs. Additionally, introduce static security analysis to your CI server to help identify low hanging fruit and early-on implementation issues. Another option is to introduce abuse cases by having your team write malicious user stories. These are a great way to ensure the same issues don’t regress, and simultaneously serve as training material for new team members.
- Build firefighting teams. To ensure that everyone across the board cares about this process, pull members of the DevOps and security team and put them on-call together on a weekly basis. This collaboration will allow each team member to see the issues other teams face and how their needs overlap, building a deeper understanding of each others’ roles and processes. After “code love,” this is the second most important feedback loop you can introduce to your organization.
To successfully initiate DevOpsSec within an organization, developers need to have clear parameters to work within to include the security team in the software development lifecycle (SDLC). By breaking down organizational silos and encouraging the cross-pollination of DevOps and security teams, they’ll be able to gain a better understanding of the issues they each deal with and naturally introduce joint solutions.