Top 10 Hacks from Gartner to Implement DevSecOps

As more businesses embrace the digital age, information technology needs continuous improvement. However, one of the biggest challenges is getting information security to adapt to development processes and tools rather than the other way around.

Whether an organization uses DevOps or not, it is equally responsible for producing secure and compliant app code. Integrating security into DevOps, however, means changing processes, technology, and mindsets.

For DevSecOps to be seamless, SRM (Security and Risk Management) leaders need to comply with the core nature of DevOps, which combines collaboration and agility.

From 2016 to 2017, Gartner saw a fast-growing interest from clients in how to deliver DevSecOps and integrate security into DevOps.

From analyzing successful DevSecOps initiatives and client conversations, Gartner concluded that the following 10 areas must be prioritized to implement DevSecOps.

10 tips on DevSecOps implementation from Gartner

1. Security testing tools and processes must adapt to developers, not vice versa.

The idea is to integrate security as a continuous part of the development process. This can’t be done by forcing DevOps developers to adopt old information security processes. Since information security professionals have always been accustomed to having developers conform to these processes, a change in mindset would be required for things to change. However, this will help make the “Sec” in DevSecOps silent.

2. Recognizing that it is impossible to eliminate all vulnerabilities in the development stage. 

Any attempt to achieve perfect security will only hamper a developer's speed and agility. False positives and negatives waste a lot of time that could have otherwise been spent moving forward with development. Instead, it would be better to implement run-time protection controls that don’t focus on eliminating all possible vulnerabilities. This can be viewed as an integrated part of DevSecOps.

3. DevSecOps must first focus on eliminating critical vulnerabilities that are easy to identify. 

Since most developers rely heavily on prebuilt components, containers, frameworks, and libraries, security scanning can focus on removing known vulnerabilities from such elements before they even enter the production line.

4. Identify vulnerabilities in custom code.

While identifying vulnerabilities in known code is a task, finding them in custom code is another challenge. SRMs need to scan for unknown vulnerabilities by tweaking or replacing traditional testing solutions. One can’t expect to rely on traditional static and dynamic testing tools without making changes.

5. Train developers on the basics of security

Though developers may never become security experts, some knowledge on the subject would help them consider security while developing. Their training can help them identify fundamental security issues or flaws during development. They will also be better positioned to collaborate effectively with the security team.

Did you know?

According to Analytical Research Cognizance, the global DevSecOps market is expected to grow at a CAGR of 33.7% during the forecast period 2017-2023. The rising security breaches, awareness about DevSecOps platforms, need for improving SDLC by reducing the time wasted, and the increasing investment activities have led to the demand for DevSecOps (Source).

6. Use a security champion model 

This would grant your organization an individual who will act as an expert and advisor. Such an advisor can spot potential design and implementation issues early on. These security champions can reduce the complexity of coding security by providing immediate remedies.

7. Cut off vulnerabilities at the source 

We know developers use several components, frameworks, and libraries to build nearly 50-60% of the code. Rather than wait for any vulnerabilities to be introduced and scanned, why not block these from ever entering the code?

For some organizations, the risk associated with developers downloading code directly from the internet is too high. In these cases, the download is blocked right at the source. For others, developers may be restricted to managed code repositories like GitHub.

8. Have operational discipline in automated scripts

It’s essential not to ignore infrastructure and the runtime platform in your controlled disciplines. Source code controls should also apply to the infrastructure, which includes version control on all software-defined items. Having these controls in place ensures that the correct version of a script is used.

9. Maintain version control in all disciplines

Any organization should use reasonable source code version control throughout the app's development. Capturing every detail of changes made is vital in high-velocity environments - what was changed, who changed it, when it was changed, any authorizations granted, etc. This comes in handy when identifying where the code's risks and vulnerabilities came from.

10. Implementing immutable infrastructure

If nobody can make changes directly on the production systems, the infrastructure is said to be immutable. If changes are needed, they will be implemented back in development and then by automated tools. In DevSecOps, having an immutable infrastructure mindset can proactively advance and improve security.

These strategies can help overcome the hurdles of DevSecOps. Since the world is quickly becoming a digital business, DevSecOps will secure a strong foothold. A Gartner survey revealed that collaboration with information security was the highest-ranked strategy for dealing with DevOps in a regulated environment. So, it’s only a matter of time before everyone gradually adopts DevSecOps to improve code quality and security.