DevOps is a set of practices used by some of the most innovative and efficient technology organisations in the world. The goal is to accelerate product and services deliveries, accompanied by improved product support in development and operations. Perhaps the most critical aspect is cultural change, breaking down silos and an emphasis on self-sufficiency.
It's been a decade since DevOps practices were introduced, and perhaps a part of the software development practice which has remained relatively siloed is application security. Recent advances in tools provided improved integration into software development technology stacks. This allows DevOps professionals to start vetting and reviewing the code for vulnerabilities earlier in the software development process. Research by the National Institute of Standards and Technology (NIST) and the Ponemon Institute suggests the relative cost to remediate can differ between 10 to 30 folds, when discovered at the architecture or design stage, compared to discovery when the application enters production. Late discovery of vulnerabilities in the application will invariably result in delays in product deliveries.
In previous blogs, I have shared steps required to transform an organisation so that security can be integrated into software development lifecycle (SDLC) with DevOps principles and practical methods of adapting existing governance processes to support the speed and agility of DevOps. In addition to the traditional application security ‘toolset’, manual penetration testing, we actually have an array of tools which supports security assurance at earlier stages of the software development cycle. Application security toolsets used in development and operations can be grouped into the following categories:
In the diagram below, I depicted locations within the SDLC whereby current application security tools could be integrated into the software development process for earlier, incremental as well as continuous monitoring after deployment into production.
Please note the above is a simplified extrapolation of stages, processes and their connectivity within the SDLC. The blog is based on current tooling capabilities, but the diagram is designed to be vendor-agnostic.