The global paradox
Software is the king and developers are the kingmakers. This statement indicates the growing demand for software, as the current business transformation requires interaction with computers or computer-assisted objects. This omnipresent computing has the potential to uptrend the incentives for misuse, thereby increasing the risk portfolio especially towards software. In the thick of things lies agile software development, a methodology rapidly adopted by organizations developing software. Being responsive to change, and delivering software at speed is the main essence of agile methodology. Security both as a process and as a technology requires intense planning and detailed analysis in order to arrive at the desired result. Even some of the best practices and frameworks encourage security testers to adopt manual intrusive approach for the best outcome. This brings us to the global paradox - whether to deliver software at high velocity, which propelled the need for competitiveness in the current marketplace, or focus on imperative security challenge to deliver secure software, perceived to have negative influence on the velocity.
Defining new approach
We should understand that the state of security today is similar to the state of operations back when DevOps was at its nascent phase.
The velocity of change does create a major challenge and requires a new way of thinking about security. To ensure seamless alignment to agile methodology and integration with DevOps, a change in approach is required in the following aspects:
- Security is always viewed as a technology problem, rather than taking the holistic approach in tackling the business challenges.
- Current security processes suit Waterfall model rather than agile, which requires more collaboration with the developers to work faster and more iteratively.
- Security is always push not a pull, as the development team does not proactively engage the security team.
- Experienced security practitioners can only use and interpret results from the security tools.
- Adaptation of manual approach to identify vulnerabilities in the application, which requires significant amount of time and effort.
- Focus is always on finding not fixing, it is great to identify security issues upfront, but need to find ways to handle an issue if discovered later in the lifecycle or in production.
- Security effectiveness is measured on mere identification of vulnerabilities rather than overall enablement to deliver secure software.
Approach security as a journey, not a destination - this means developing a progressive security program. The program should not only focus on the technical aspects but also create the right framework that fits the business objective of the organization. To create such a framework, it is important to understand the eco-system governing the organization in terms of people, process, and technology. The below section enumerates best practices to adopt for building an effective and robust DevSecOps framework encompassing the golden triad: