Tuesday 26 June 2018

DevSecOps in the age of the cloud



DEVSECOPS IN THE AGE OF THE CLOUD


DEVOPS’S SECURITY:

In DevOps, the application is often releasing new features and functionalities in every release for the business needs and deployed in the cloud for flexibility, service delivery, but often they are skipping the information security to complete the organisation’s on-time release. This blog explores the overview of DevOps Vs DevSecOps and how security professionals and developers need to be ready before integrating DevSecOps.

CONTENT:

  1. DevOps vs DevSecOps
  2. Why we need to move DevSecOps
  3. Integrating DevSecOps
    1. Are you a security professional or developer in DevSecOps
    2. Blending tools and technologies
    3. Developers can make a better world
  4. Conclusion

DEVOPS VS DEVSECOPS:

DevOps is the model which is in the background process to help the organization to archive the continuous versions. DevOps (Development and operations) is a development practice model which allows organisations to increase the speed of producing products and services. It is getting more famous and implementing from start-up to enterprise in different industries.  At the same time, DevOps has some drawback in the process which may have insecure codes and bugs in the production release these bugs can lead to serious security vulnerabilities which can cause data loss or data breaches. Solution to combine the information security not to slow down the business and not getting affected by vulnerabilities then information security should be integrated into development phrase with security controls, so that’s how DevSecOps is introduced. DecSecOps is a model which collaborate information security and DevOps.
DevSecOps is similar to DevOps, but security will be in place in every phase of the development. DevSecOps can be a solution for Big cloud environments like Google, Facebook and Netflix etc. Each day they are updating thousands and thousands of lines in production which can’t be tested after the deployment on each release, and it needs to be addressed in DevOps itself.  In DevOps, fixing the vulnerabilities will take a longer time than DevSecOps model.

WHY WE NEED TO MOVE DEVSECOPS:

The following are the main reasons which companies are moving to DevSecOps :
  • Keep your code secure in every production release.
  • Identification & Fixing the vulnerabilities is fast in DevSecOps.
  • Integrating Security with automation tools like SAST in development will increase the continuous delivery and security.

INTEGRATING DEVSECOPS:

Here are some Areas where security peoples and developers need to get ready for DevSecOps:
  1. Are you a security professional or developer in DevSecOps
  2. Integrating tools and technologies
  3. Developers can make a better world

ARE YOU A SECURITY PROFESSIONAL OR DEVELOPER IN DEVSECOPS:

On DecSecOps both security professional and developer are core components, and their contribution to security is essential. The security team should contribute to development by bringing series of tests and quality conditions without slowing the process. Security parameters and metrics are incorporated into development then the chance for security to be involved in the procedures for DevOps is much higher. Security teams should work with QA and development to define specific parameters and critical qualifiers that need to be addressed before any code can be promoted. Also, security team should integrate automated tools in testing and development environment to discover and fix the flaws as fast as possible. As a developer, they have to aware of secure code review and basic prevention code practices for common vulnerabilities. So radically ideas on DevSecOps is “everyone is responsible for securing the product”.

INTEGRATING TOOLS AND TECHNOLOGIES:

Automating security testing in DevSecOps requires incorporating testing within development and processes. Finding code related vulnerabilities with secure code review and adding plugins like IDE that finds instant insights and remediation guidance as problems are introduced. Consider a combination of testing methodologies like OWASP, technologies, including static, dynamic, and software composition analysis  for example you can you some testing tools like burpsuite, ZAP proxy tools with Jira or any other piping tools to combine testers and developers and also ensure your policies align to the security tools/solutions with your developers are using to connect security tools in development environment.

DEVELOPERS CAN MAKE A BETTER WORLD :

In Organization, if there a lack of experienced or qualified security professionals then developers have to take more responsibility for security. In that situation developers have to be trained in security, developers can make significant improvements in security when given proper training on remediation guidance and handling secure code review tools that allow them to check their code against vulnerabilities. You can turn a developer who shows more interest in security can make them into security professional, and they can improve their secure coding practices and also security testing skills.

CONCLUSION:

In the age of cloud, collaborating DevSecOps requires a lot of automation and integrating security in DevOps. Areas discussed in this blogs can be an excellent first step to Adopting these implements. Implementation will require subtle changes as the various concepts are needed to be applied within the organisation and frameworks need to be replaced with new Practices.

AUTHOR

Dinesh C
Security Engineer
Briskinfosec Technology And Consulting Pvt Ltd.,
follow me @https://www.linkedin.com/in/dineshdinz/
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)