DevSecOps에 코드로서의 보안(security as code)의 중요성

Source: GitLab Blog | Author: Vanessa Wegner

코드로서의 보안이란?

코드로서의 보안은 애플리케이션 보안의 미래를 이끄는 원동력입니다. O’Reilly에 따르면, 코드로서의 보안은 코드와 인프라의 변경이 이루어지는 방법을 매핑하고 보안 검사, 테스트, 게이트를 추가할 자리를 찾아 불필요한 비용이나 지연 없이 DevOps 도구과 워크플로우에 보안을 구축하는 관행이라고 합니다. 개발자들은 코드로서의 인프라(IaC)를 통하여 프로그래밍 언어를 사용하여 인프라를 정의할 수 있습니다. 보안을 DevOps의 속도에 맞추려면 이와 같은 방식이 필요합니다.

At a basic level, security as code can be achieved by integrating security policies, tests, and scans into the pipeline and code itself. Tests should be run automatically on every code commit, with results made immediately available to developers for fixing. By bringing security scans to the code as it’s written, teams will save both time and money by streamlining the review process later in the software development lifecycle (SDLC).

Why is it important?

Security as code is key to shifting left and achieving DevSecOps: It requires that security be defined at the beginning of a project and codified for repeated and consistent use. In this way, it gives developers a self-service option for ensuring their code is secure.

Predefined security policies boost efficiency, and also allow for checks on automated processes to prevent any mishaps in the deployment process (like accidentally taking down the whole infrastructure because a problem wasn’t identified in a staging environment).

Six security as code capabilities to prioritize

Francois Raynaud, founder and managing director of DevSecCon, said that security as code is about making security more transparent and getting security practitioners and developers to speak the same language. In other words – security teams need to understand how developers work, and use that insight to help developers build the necessary security controls into the SDLC. Developers can reciprocate by staying open-minded as they adopt new tools and practices to boost security during the development process. Here are six best practices and capabilities to build into your pipeline:

  1. Automate security scans and tests (such as static analysisdynamic analysis, and penetration testing) within your pipeline so that they can be reused across all projects and environments.
  2. Build a continuous feedback loop by presenting results to developers, allowing them to remediate issues while coding and learn best practices during the coding process.
  3. Evaluate and monitor automated security policies by building checks into the process. Verify that sensitive data and secrets are not inadvertently shared or published.
  4. Automate complex or time-consuming manual tests via custom scripts, with human sign-off on results if necessary. Validate the accuracy and efficiency of test scripts so that they can be replicated across different projects.
  5. Test new code within a staging environment to allow for thorough security and low-impact failure, and test on every code commit.
  6. Scheduled or continuous monitoring should automatically create logs (or red flags) within a review dashboard (such as GitLab’s Security Dashboard feature).

Security as code is a best practice for a bigger goal

Security as code gives pragmatic meaning to the concept of DevSecOps, but it should not be your end goal. Ultimately, security as code is a means to get more people on board with integrating security throughout your SDLC. The idea will feel familiar to developers who have practiced infrastructure as code, and it provides an opportunity for security to step into the fray both to better understand software development and to help design the policies that will be codified in the process.

As your team works its way toward becoming a well-oiled DevSecOps machine, security as code will inevitably present itself as a smart solution within a complex endeavor.

GitLab’s DevSecOps methodology assessment

There’s a lot to cover when standing up a DevSecOps process – so to help you master the key elements, we created a DevSecOps methodology assessment. Score yourself on 20 capabilities, and then use those scores to understand your DevSecOps maturity level, and determine what actions your team can take to bring your DevSecOps to the next level. Download the assessment here.

Cover image by Tim Evans on Unsplash

댓글 남기기