Today, SAFECode is excited to join the Cloud Security Alliance in sharing a new report offering practical guidance on integrating security automation into the software development lifecycle. The paper, The Six Pillars of DevSecOps: Automation, was developed in collaboration with the Cloud Security Alliance as part of a larger project around identifying best practices to support the secure implementation of DevOps, commonly referred to as DevSecOps.
Automation is particularly important in a DevSecOps environment because it creates the process efficiency needed to enable developers, infrastructure, and security teams to focus less on repetitive security tasks and more on delivering value. Application, host, and container vulnerability scanning as well as monitoring are all examples of security activities that can and should be automated. In essence, the paper explains how DevSecOps can “shift-left and accelerate right.”
Today’s paper focuses on cloud-based security automation for DevOps but can certainly be useful for non-cloud based software as well. The main goal is to enable a fast, reciprocal flow of information to DevOps teams so that they can create and validate secure code by design. This approach helps avoid making security an afterthought, and sheds some light on how to weave in security in every step of the release pipeline. All of the guidance shared in the paper is based on the real-world experiences of the authors and contributors. Topics covered include:
- Common impediments to automation and suggested mitigation techniques
- Common misconceptions about security testing in DevSecOps environments and practical testing how-tos
- An overview of a risk-based release pipeline and how automation can be addressed at each stage, as well as a discussion of several best practices that are applicable to DevSecOps regardless of the software development stage
- Practical advice around streamlining some of the most daunting topics to automate in DevSecOps such as threat modeling, proper crypto handling, and security control assessments
We hope that you find this paper valuable and we look forward to continuing our collaboration with the Cloud Security Alliance. As part of this effort, we plan to address several more important DevSecOps topics including training and process integration and practical approaches to measurement. If you are a SAFECode member interested in participating in our joint working group, please contact us to get involved. In the meantime, those interested in our DevSecOps work can also check out our recent paper that takes an in-depth look at how to build and maintain a security-supportive culture.