Top 10 Hacks from Gartner to Implement DevSecOps

As more and more businesses embrace the digital age, there is a need for continuous improvement in Information Technology. However, one of the biggest challenges faced is getting information security to adapt to the development processes and tools, rather than it being the other way around.

Whether an organization uses DevOps or not, they are equally responsible for producing secure and compliant code in app development. Integrating security into DevOps, however, means changing processes, technology, and mindsets.

In order for DevSecOps to be seamless, SRM (Security and Risk Management) leaders need to comply with the core nature of DevOps that combines collaboration and agility.

From 2016 to 2017, Gartner saw a fast-growing interest from clients in how to deliver DevSecOps and integrate security into DevOps.

From analyzing successful DevSecOps initiatives and conversations with clients, Gartner concluded that the following 10 areas must be prioritized to implement DevSecOps.

10 useful Gartner tips to implement DevSecOps

1. Security testing tools and processes must adapt to developers, not vice versa.

The idea is to integrate security as a continuous part of the development process. This can’t be done by forcing DevOps developers to adopt old information security processes. Since information security professionals have always been accustomed to having developers conform to their process, it would require a change in mindset in order for things to turn around. But this will help make the “Sec” in DevSecOps silent.

2. Recognizing that it is impossible to eliminate all vulnerabilities in the development stage. 

Any attempt at trying to have perfect security will only hamper the speed and agility of a developer. False positives and negatives of vulnerabilities waste a lot of time that would have otherwise been spent on moving forward with development. Instead, it would be better to implement run-time protection controls that don’t focus on eliminating all possible vulnerabilities. Instead, it can be viewed as an integrated part of DevSecOps.

3. DevSecOps must first focus on eliminating critical vulnerabilities that are easy to identify. 

Since most developers rely heavily on prebuilt components, containers, frameworks, and libraries, security scanning can focus on removing known vulnerabilities from such elements before they even enter the production line.

4. Identify vulnerabilities in custom code.

While identifying vulnerabilities in known code is a task on its own, finding them in custom code is another challenge. SRMs need to scan for unknown vulnerabilities by tweaking or replacing the traditional testing solutions. One can’t expect to rely on traditional static and dynamic testing tools without any changes.

5. Train developers on the basics of security

Though a developer may never become a security expert, some knowledge on the subject would help them bear security in mind while they develop. Their training can help identify fundamental security issues/flaws during development. They will also be better positioned to collaborate effectively with the security team.

Did you know?

According to Analytical Research Cognizance, the global DevSecOps market is expected to grow at a CAGR of 33.7% during the forecast period 2017-2023. The rising security breaches, awareness about DevSecOps platforms, need for improving SDLC by reducing the time wasted, and the increasing investment activities have led to the demand for DevSecOps (Source).

6. Use a security champion model 

This would grant your organization an individual who will act as an expert and advisor. Such an advisor can spot potential design and implementation issues early on. These security champions can reduce the complexity of coding security by providing immediate remedies.

7. Cut off vulnerabilities at the source 

We know that developers use several components, frameworks, and libraries to build nearly 50-60% of the code. Rather than wait for any vulnerabilities to be introduced and then scanned, why not block these from ever entering the code?

For some organizations, the risk associated with developers downloading code directly from the internet is too high. In these cases, the download is blocked right at the source. For others, developers may be restricted to managed code repositories like GitHub.

8. Have operational discipline in automated scripts

It’s essential not to ignore infrastructure and the runtime platform in your controlled disciplines. Source code controls should also apply to the infrastructure, which includes version control on all software-defined items. Having these controls in place ensures that the correct version of a script is used.

9. Maintain version control in all disciplines

Any organization should use reasonable source code version control throughout the app's development. Capturing every detail of changes made is vital in high-velocity environments - what was changed, who changed it, when it was changed, any authorizations granted, etc. This comes in handy when identifying where the code's risks and vulnerabilities came from.

10. Implementing immutable infrastructure

If nobody can make changes directly on the production systems, the infrastructure is said to be immutable. If changes are needed, they will be implemented back in development and then by automated tools. In DevSecOps, having an immutable infrastructure mindset can proactively advance and improve security.

These strategies can help overcome the hurdles of DevSecOps. Since the world is quickly moving into a digital business, DevSecOps will secure a strong foothold. A Gartner survey revealed that the highest-ranked strategy for dealing with DevOps in a regulated environment was in collaboration with information security. So, it’s only a matter of time before everyone will gradually adopt DevSecOps to improve code quality and security.