 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
The DevOps world is acutely aware of the past struggles to integrate with security in the software development life cycle (SDLC). While the pros of uniting these all-too-siloed teams are very clear; the cons remain costly and continue to be a barrier to organizations marrying these functions together for good. Meaning? DevOps makes software deployment faster but, without proper controls, developers may also be unwittingly releasing security vulnerabilities more quickly as well.
Security should be an integral part of the automated testing process to help with verifying compliance requirements. This modern DevOps framework is crucial for developers as conducting security checks afterward increases the likelihood of vulnerabilities. According to a Chef survey, security automation speeds software delivery and improves quality. DevSecOps adopters are three times as likely as non-adopters to see security as something that speeds up software delivery and most organizations (84%) agree security improves quality as well.
Without the mitigation of security, the gap will continue to grow as the software moves further along if it is not addressed immediately. Speed in innovation is nothing without security in the SDLC. In an era of rapidly developing threats and continually evolving compliance frameworks, it’s becoming more alarming that it can take weeks and even up to two months to remediate these violations or vulnerabilities.
So what is the solution? Defining everything as code can help bridge this security gap in the SDLC. Code serves as a single source of truth, a shared common language among teams that can be used to codify infrastructure configuration, security and compliance. Defining “everything as code” — from compliance policies, to infrastructure, to application dependencies — can bridge the gap between teams in the software development life cycle by serving as a common language that can be shared, scaled and automated. From there, conducting unambiguous tests makes it easily readable by all parties involved: security engineers, auditors, systems administrators and others.
Shift-left testing also integrates security earlier in the process and results in fewer errors before reaching production. Developers can be more ingrained in the workflow, and it also creates a sense of ownership. By defining everything as code, teams can easily reference what the security postures are, how their features should comply and how to influence change if necessary.
According to a Gartner study, through 2022, 90% of software development projects will claim to follow DevSecOps practices, up from 40% in 2019. The risks and consequences associated with flawed code and faulty infrastructure configurations are too severe to ignore in the early development stages, especially with the increase of cyberattacks and teams being pushed to produce software on accelerated timelines.
Below are a few best practices for the SDLC integration with security during the building progress. By embracing this DevOps approach, developers can be more agile and efficient.
Define compliance as code to be referenced as one source of truth that is easy to understand and use with teams at scale:
The less human intervention during the review and testing process the better because it will reduce the amount of error:
Create a regular cadence for secure coding practices such as managing gap analysis, threat modeling and create a checklist of security risks:
Provide a set of security baselines that can be easily customized such as CIS Compliance Benchmarks and DISA STIGs:
Configuration drift — Customers can use Chef for mitigating the configuration drift problem, preventing servers from deviating from a desired state (known-good) state. Hosts can perform self-healing by detecting configuration drift and perform automated remediation.
Monitor configuration — Monitor and control the configuration on thousands of different servers (Linux and Windows), ranging from physical to virtual machines, using IT automation software.
