Best practices for DevSecOps

Originally Posted by IBM

DevSecOps should be the natural incorporation of security controls into your development, delivery, and operational processes.

Shift left

'Shift left' is a DevSecOps mantra: It encourages software engineers to move security from the right (end) to the left (beginning) of the DevOps (delivery) process. In a DevSecOps environment, security is an integral part of the development process from the beginning. An organization that uses DevSecOps brings in their cybersecurity architects and engineers as part of the development team. Their job is to ensure every component, and every configuration item in the stack is patched, configured securely, and documented.

Shifting left allows the DevSecOps team to identify security risks and exposures early and ensures that these security threats are addressed immediately. Not only is the development team thinking about building the product efficiently, but they are also implementing security as they build it.

Security education

Security is a combination of engineering and compliance. Organizations should form an alliance between the development engineers, operations teams, and compliance teams to ensure everyone in the organization understands the company's security posture and follows the same standards.

Everyone involved with the delivery process should be familiar with the basic principles of application security, the Open Web Application Security Project (OWASP) top 10, application security testing, and other security engineering practices. Developers need to understand thread models, compliance checks, and have a working knowledge of how to measure risks, exposure, and implement security controls

Culture: Communication, people, processes, and technology

Good leadership fosters a good culture that promotes change within the organization. It is important and essential in DevSecOps to communicate the responsibilities of security of processes and product ownership. Only then can developers and engineers become process owners and take responsibility for their work.

DevSecOps operations teams should create a system that works for them, using the technologies and protocols that fit their team and the current project. By allowing the team to create the workflow environment that fits their needs, they become invested stakeholders in the outcome of the project.

Traceability, auditability, and visibility

Implementing traceability, auditability, and visibility in a DevSecOps process leads to deeper insight and a more secure environment:

• Traceability allows you to track configuration items across the development cycle to where requirements are implemented in the code. This can play a crucial part in your organization’s control framework as it helps achieve compliance, reduce bugs, ensure secure code in application development, and help code maintainability.
• Auditability is important for ensuring compliance with security controls. Technical, procedural, and administrative security controls need to be auditable, well-documented, and adhered to by all team members.
• Visibility is a good management practice in general, but very important for a DevSecOps environment. This means the organization has a solid monitoring system in place to measure the heartbeat of the operation, send alerts, increase awareness of changes and cyberattacks as they occur, and provide accountability during the whole project lifecycle.

About Sicura

The Automated Security Platform for DevOps Teams. 

Sicura automatically enforces and remediates technical security controls in a DevSecOps platform to bridge the gap between security and engineering teams. 

 Our platform fixes misconfigurations, prevents breaches, and remediates security drift. We automate security into DevOps workflows and give engineers their jobs back.