DevSecOps Checklist: 13 Best Practices to Shift Security Left

DevSecOps is a modernized agile methodology that combines the efforts of development, operation and security teams. When working together to integrate security into every step of the development process, teams can deliver applications safely, at a massive scale. DevSecOps helps teams catch issues early, before they cause damage, and while they are still easy to fix. By making security a shared responsibility and shifting it left (towards developers and DevOps engineers), your company can deal with vulnerabilities before they enter production, saving time and reducing costs drastically. When you get down to the core of it, DevSecOps is built for agility and velocity. 

Risk mitigation around software supply chains is going through an awakening post-SolarWinds. DevSecOps helps mitigate a range of significant security risks in application development and highlights that you must do the best you can as a security organization. Put in the right tools. Institute best practices. Train your developers and security teams in best practices. Incentivize your vendors to follow suit.  

While the process of shifting to DevSecOps can be a complex one, often involving several teams and many stakeholders, executing on a few quick wins and tracking your progress along the way is critical. That’s where our DevSecOps best practices checklist comes in. We’ve broken these best practices out into three categories to make the transition a little easier for you and your team: quick wins, process improvements, and culture shifts. 

Learn more from our team of experts on DevOps to DevSecOps transformation in this free guide here.

DevSecOps best practices

Quick win best practices

Digital transformation of enterprises and public sector organizations around the world has accelerated in recent years. However, digital transformation brings with it new digital assets such as applications, websites, and databases, and this increases an enterprise’s attack surface. To prevent costly breaches, protect reputation, and maintain customer relationships, organizations need to implement a DevSecOps security approach that is built on industry-proven best practices.

Here are three quick win best practices that organizations can use as a start when implementing DevSecOps:

1. Sanitize Sensitive Data: There are several open source tools that can detect personally identifiable information (PII), secrets, access keys, etc. Run a simple check for sensitive data, because a leaked credential in a GitHub repository could mean big trouble for your data and infrastructure.
2. Utilize IDE Extensions: Developers use integrated development environments (IDE) and text editors to create and modify code. Utilizing IDE extensions to identify vulnerabilities and security flaws as developers are writing code is an easy way to catch security issues early on. It also serves as a way to educate developers on good coding practices. 
3. Integrate Security into CI/CD: There are many open source Continuous Integration/Continuous Delivery (CI/CD) tools available such as Jenkins, GitLab CI, Argo, etc. Your team can integrate one or more security solutions into their current and future CI/CD pipelines. A good solution would include alerts and events that allow developers to resolve the security issue before pushing anything into production.

Process best practices

Now is the time to review the security of your DevSecOps pipeline to ensure that the tools and workflow powering your software development are secure from attacks. Here are some key tips to consider as you evaluate your approach to integrating security at each stage of the development lifecycle:

4. Analyze Front End Code: Cybercriminals love to target front-end code due to its high number of reported vulnerabilities and security issues. Use CI/CD pipelines to detect security flaws early and share that information with developers so they can fix the issue.
5. Leverage Automation: It’s always a good idea to make sure that attackers haven’t injected any malicious code into software containers, especially since container security is critical for a safe software supply chain. With Anchore Enterprise, teams can automate how to identify and remediate container security risks and monitor post-deployment for new vulnerabilities.
6. Go Cloud Native: As mentioned above, containers can be a great way to ensure immutability. Paired with a powerful orchestration tool, such as Kubernetes, containers can completely transform the way you run distributed applications. There are many benefits to “going cloud-native,” and several ways enterprises can protect their data and infrastructure by securing their cloud-native applications
7. Implement Pre-Commit Hooks: Exposing secrets such as application programming interface (API) keys, database credentials, service tokens, and private keys to source code repositories occurs more frequently than you might think and can be costly for organizations. In 2019, security researchers discovered over 200,000 unique secrets on GitHub. Integrating pre-commit tools in code repositories can prevent your secrets from being pushed inadvertently.
8. Utilize Secrets Management: Ensuring that sensitive information is protected is no small task. This is where secrets management comes into play. Every organization should have a set of tools and processes to protect passwords, API keys, SSH keys, and other secrets. Besides providing a secure method for storing secrets, secrets management can also facilitate other best practices such as auditing, role-based access control, and lifecycle management.
9. Role-Based Access Controls: Modern environments have robust access control systems. Individuals should only have access to areas they need to accomplish their tasks rather than giving them access to everything. By assigning appropriate roles for development and operations the attack surface can be reduced.

Culture best practices

The cultural changes that DevSecOps brings to software development can almost be more important than the tooling because it brings security concerns into the development lifecycle versus making security the last stop (and the last night) before applications hit production. 

Here are four culture best practices to consider for your organization, when building internal teams and working with vendors as part of the DevSecOps journey:

10. Share Information: Transparency yields trust with sharing between the DevOps and security teams inside enterprises. Transparency along the software supply chain builds trust.
11. Be Clear on Measurement: Shared metrics with DevOps and security teams cooperating on shared goals will help achieve compliance and security. It only works if you have clear lines of communication to set realistic expectations.
12. Build Trust: When you build trust internally and with your vendor teams along your software supply chain, it becomes easier to share information and collaborate on security and operational challenges. 
13. Create a Safe Environment: You also want to create an environment where your team, not to mention vendors, can feel safe asking questions and bringing up technology and business issues.

Benefits of implementing DevSecOps best practices

From government agencies to fast food chains, DevSecOps has enabled organizations to quickly and securely transform their services and assets. For example, the U.S. Department of Defense Enterprise DevSecOps Services Team has changed the average amount of time it takes for software to become approved for military use to days instead of years. For the first time ever, that same team managed to update the software on a spy plane that was in flight, now that is one impressive example that underscores the benefit of DevSecOps collaboration.

On the commercial side of things, we witnessed firsthand how the pandemic forced many businesses to adopt new ways of doing things, especially in the food industry. For example, with restaurant seating shut down during the pandemic, Chick-fil-A had to rely heavily on its drive-thru, curbside, and delivery services. Where do those services begin? Software applications! Chick-fil-A uses GitOps, Kubernetes, and AWS and controls large amounts of sensitive data for all of its customers, making it critical that Chick-fil-A implements DevSecOps instead of just DevOps. Imagine if your favorite fast food chain was hacked and your data was stolen – that would be extremely detrimental to business. 

Learn about how Anchore helped the U.S. Department of Defense with its DevSecOps pipeline here. 

Measuring the impact

Whether your company builds web apps or deploys mission-critical software on jets, you should be thinking about ways to minimize your attack surface and measure how much DevSecOps moves the needle for your organization.

Here are three ways to measure the impact of DevSecOps in your organization:

1. Implement Threat Modeling: Threat Modeling not only helps security teams define security requirements and assess underlying risks associated with new and existing applications; it fosters ongoing communication between security and development teams. Integrating threat modeling tools in the development lifecycle promotes collaboration between each team on the system architecture and provides a consistent method for tracking key information. Microsoft’s Threat Modeling Tool and OWASP’s Threat Dragon are popular open source tools used in DevSecOps pipelines to conduct threat modeling.
2. Launch End-to-end Traceability: Use your organization’s goals and metrics as a driver to improve security and development tools reporting across your pipelines. This will help your team deliver additional data to management and stakeholders about project progress through your pipelines. 
3. Standardize Security Reporting: Be proactive and work with stakeholders to understand what reporting requirements are for their management. Update your security reporting to reflect your traditional endpoints and network perimeter. Give your team the most accurate picture using data on the current state of software development and security over your projects.

Streamline your transition and DevSecOps processes with Anchore

At Anchore, we believe that everyone should know what’s inside the container images they build and consume. That is why the core of our Anchore Enterprise platform is a frictionless DevSecOps automation tool. With deep image inspection and vulnerability scanning across all layers, your team can shift security left with our API-first DevSecOps solution for cloud-native development. 

From source code to application deployment, the Anchore Enterprise platform protects your organization at every step of the way. Learn more about our DevSecOps solution here.