Automation: 5 Reasons to Developers Early Adopt in Application Security

By Douglas Bernardini

Moving to a DevSecOps model doesn’t happen overnight. Rather, it’s both a strategic and continual improvement process aimed at delivering:

Continuous security: Embracing a “secure by design” principle, leveraging automated code scanning and automated application security
testing throughout the development lifecycle and at a granular level (e.g., in the integrated development environment (IDE), on code submit
to the repository, during code build, test-driven security).
Increased efficiency and product quality: Security vulnerabilities are detected and remediated as early as possible in the pipeline, when
the cost to fix them is lower. This increases the speed at which quality code can be delivered.
Enhanced compliance: Security auditing, monitoring, and notification systems are automated, and outputs are fed back into the pipeline,providing continuous, demonstrable compliance.
Increased collaboration: By integrating development, security, and operations, DevSecOps fosters a culture of openness andtransparency from the earliest stages of productdevelopment.

1.Development-based security controls

Traditional models use “tollgates” and “checkpoints” to test for vulnerabilities after development is complete. This stops the forward flow momentum by sending the product back to development for rework and remediation; however, in the DevSecOps world where speed and quality is paramount, this does not work.
Instead, by using a ‘shift-left’ approach, the objective is to secure the product in the design stage and create as many secure services that developers can take advantage of in the CI/CD pipeline.

The following table highlights the fact that many security services can be leveraged before and after the product development lifecycle, reducing workload and impact to the actual code development pipeline.

2. Operations-based security controls

Due to the ephemeral nature of IT assets in the cloud, traditional methods of tracking assets and monitoring activity have become obsolete. Rather, dynamic attribution methods such as tagging should be built into the DevSecOps environment so that assets created and deployed
through automation can be instantly visible and traceable.
Additionally, if a misconfigured or unauthorized publicly-accessible service is stood up, an automated configuration correction/deletion using AWS Lambda can be applied within minutes, keeping the organization safer from accidental or intentional vulnerability exploits.

3.Development-based security controls

Integrate code analysis tools early into the development process, even within the developer’s IDE.
Automatically discover and apply patches to vulnerable open-source software prior to deployment.
Perform automated dynamic application security testing against pre-production code.
Perform regular vulnerability assessments to identify and remediate potential application weaknesses.

4.Operations-based security controls

Use proactive, automated monitoring of log health and relevant security events.
Implement automated configuration monitoring, patch management, privilege access controls, and user management controls.
Monitor the production environment for deviations from expected behavior and/or exploitation of known/unknown vulnerabilities.

5.The DevSecOps team

DevSecOps emphasizes the culture change, one that results in a world where developers, operations, and security teams can collaborate more efficiently. Security teams working more closely with the application developers and operations team can better understand daily habits and workflows and devise ways to effectively integrate security into the software development lifecycle (SDLC), infrastructure as a code (IaaC), etc.

• Hardened security practices: An approach that was developed over many years of implementing cloud and application security for our
prestigious client.

• Improved time to market: Automated checks built into the cloud deployment pipeline look for regularly occurring failures and autocorrect them without human intervention.

• Increased compliance: Ability to reduce compliance findings and decrease time from audit request to evidence delivery.

Some references users in this article:

https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-integrating-and-automating-security-into-a-devsecops-model.pdf

Some reading recommended:

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.