Source: GitLab Blog | Author: Vanessa Wegner
프로젝트를 DevOps에서 DevSecOps로 전환하는 3 가지 방법입니다.
최근 몇 년 동안 애플리케이션은 우리가 일하든 놀든 늘 함께 있어주는 동반자가 되었습니다. 현재 앱들은 정말 멋진 것들을 할 수 있습니다. 예를 들어, 앱 사용자가 4시간 안에 움직이지 않았다는 사실 알려 주고 가장 효율적으로 파스타를 요리하는 법 가르쳐 주고 여러분에게 귀여운 고양이 사진을 보여주는 것입니다.
They also collect data. Tons of it. They connect directly to your network, feed information into your business decisions and help you create a competitive advantage. But what happens when that app isn’t well-protected? Chaos. Devastation. So many angry tweets.
Aside from the social media rampage, a successful cyberattack can wreak havoc on your business, especially if it goes undiscovered for weeks or months. Possible fines, lawsuits, lost customers, executive turnover, and general turmoil await the next victim of a massive attack.
For these reasons, you need to take care of application security, best done by integrating it into your software development lifecycle at the earliest possible phase.
Security can’t come in last anymore
Say you’re at an amusement park. It’s awesome. You’re about to ride a brand new roller coaster, and you’re pumped. Would you want to wait in line for three hours, only to be turned away because you wore the wrong type of shoes? If only you had known the ride required trainers instead of Birkenstocks.
This is how application security is traditionally managed. Your shoes are the security criteria. The roller coaster is an application launch. And the line is your development pipeline. Why wait until the end of the dev process to find out which security requirements you need to fulfill?
Web applications are among the top two attack vectors, and yet according to Gartner, application security sees the least amount of spending from IT security budgets across many industries – ringing in at only 14% on average.
Secure sooner, release faster
Application security is not just about running tests at every code commit (although you should definitely do that); a strong DevSecOps practice will build security into the design phase, before any code is written. Improve your lifecycle efficiency with these three best practices:
1. Good application security relies on trust and collaboration
Collaboration needs to start immediately on every project: Bring together your project leaders and security delegates. Give them one meeting (with a pre-read or pre-plan) to devise a set of security measures that need to be fulfilled by code written for this project, and plan out the automated tests that developers will need to run on their code. Making these decisions together will foster both trust in the process and encourage buy-in to a security-by-design mentality.
Rob Cuddy from IBM advises your joint team adopt three important communication points to take your DevSecOps to the next level:
- Communicate only serious issues – and filter out excess noise using AI and machine learning to verify your security scans.
- Talk about the elephant in the room: Open source. Third party and open source code is omnipresent in software development, so it’s critical to address it directly to reduce the likelihood of preventable attacks.
- Get to the root issues and deal with them faster: Find and fix false negatives before they’re exploited.
Take these steps to encourage direct, honest, and tactful communication across teams – it will help you build and maintain a level of trust and credibility critical to efficient and effective DevSecOps.
2. Follow through on security planning with integrated testing
Given the limited resources available for application security and its criticality for business success, it only makes sense to run tests at every code commit. Ideally, these tests will be written once to meet project or organizational standards, and then run automatically against every code change. Gartner advises teams focus tests on areas within the application that provide the most coverage but require minimal maintenance. Also according to Gartner, teams should analyze code from every structural level to look for issues affecting the operational performance of an app. The code should be safe, robust, efficient, and easy to maintain.
Preventative measures like SAST and dependency scanning will save time in later phases by reducing the number of code defects before the code is merged and helping developers understand how changes will impact other areas of the application. Establishing test criteria first will also help developers improve the overall quality of their code by providing them with standards to refer to and achieve while writing code.
3. Use test results to educate, not punish
Applying test results as negative reinforcement is not a constructive practice. Beyond remediation, results can be leveraged in two ways:
- The individual developer should use results as learnings on how to produce higher quality code.
- At the group level, test results should be scanned for patterns in coding practices that can be improved upon, and used to create standards that will help improve code quality across the entire team or organization.
Improve application security and time to delivery with DevSecOps
The general consensus is in: Time spent up-front on security saves significantly more time and resources in the final phases of app development. As businesses race to keep up with customer expectations, they also must keep pace with an evolving cybersecurity landscape – an effort that often starts with the developer: The quality of an app’s code is its last line of defense.