Making Moves: How to Successfully Transition to DevSecOps

What tools and techniques should you follow when transitioning to DevSecOps

sucessfully transitioning to devsecops
Veracode

Most companies realize that DevSecOps is the true nirvana, but they are not sure how to get there. For starters, a successful transition to DevSecOps means that security and development teams need to reevaluate their roles. Ensuring the stability and security of software is no longer just the security team’s responsibility, it now includes developers. Developers should be testing, and security professionals should now be governing the testing. This culture shift can be a real challenge given that most security professionals have never worked alongside development teams and are not familiar with their processes, priorities, or tools. But once security and development teams are able to successfully work hand in hand, DevSecOps is achievable.  

With this culture shift in mind, how do we formulate an AppSec strategy that transforms DevOps into DevSecOps? In its new report, Building an Enterprise DevSecOps Program, analyst firm Securosis provides an outline of the security tools and techniques needed at each stage in the software development lifecycle:

Develop Phase

  • Automate security testing.
  • Make it easy for developers to get secure and internally approved open source libraries.
  • Set up your "security champions" program, training selected members of the development teams in security basics.
  • Consider incorporating security into test-driven development.
  • Analyze your application’s code using IAST

Test Phase

  • Design your app to break if there is a flaw.
  • Address security tests that are slowing down your deployments by running multiple tests in parallel.

Pre-Release Phase

  • Make sure your security testing leverages on-demand elastic cloud services to speed up security testing.
  • Prevent unnecessary data breaches by locking down production environments so quality assurance and development personnel cannot exfiltrate regulated data or bypass your security controls.

Deploy Phase

  • Use automation instead of manual processes whenever possible.
  • Start by using smoke tests to make sure that the test code that worked in pre-deployment still works in deployment.
  • Consider employing penetration testers to examine the application at runtime for flaws.
Related:

Copyright © 2020 IDG Communications, Inc.