Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized... Membership! Membership!

Tweet Register as an member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

5 Things Developers Need to Learn for DevSecOps Success in 2023

February 23, 2023 No Comments

by Margaret Ward

In today’s agile app production landscape, DevOps is integral to every organization’s approach. While developers have become accustomed to constant releases, DevOps practitioners are finding integrating security into the pipeline to be a major challenge. 

Despite the talk of security’s “shift to the left,” most developers are unaware of the vital role security plays in modern application releases.

As such, DevSecOps, the marriage of DevOps and security, is often treated as an aspirational standard instead of a set of practical principles. To succeed in modern organizations, developers must understand that DevSecOps is much more than an idea. 

Here are five crucial DevSecOps principles modern developers must know.

Zero Trust

Zero Trust, or ZT, is central to modern application security. At its core, ZT assumes that everyone is a potential threat until proven otherwise. This view is in stark contrast to legacy approaches that used credential-based access to validate a user’s intentions. ZT assumes a highly pessimistic view of a user’s intentions, and for good reason.

Modern IT landscapes are a complex collection of remote servers, cloud apps, and microservices. Machines dominate this landscape, and they access information faster than human security teams can monitor them. The result is a lack of oversight into access data. A single compromise can thus jeopardize the entire network.

When its principles inform your identity and access management (IAM) approach, ZT effectively gives security teams more control – over both machines and humans. From a developer’s perspective, granting microservices access in code or freely accessing cloud containers is not standard practice anymore. DevSecOps requires coders to understand API-based secrets and credential management tools such as Akeyless.

Akeyless’ SaaS-based approach is a great illustration of how ZT works in the modern app delivery pipeline, allowing engineers to inject credentials and other secrets dynamically, without compromising on the speed of code production. The tool integrates seamlessly with an organization’s sprawled containers, avoiding the need for infrastructural maintenance. 

ZT is at the core of DevSecOps, and developers must learn its implications quickly to succeed.

Static application security testing

Static application security testing, or SAST, actually brings security to the left and gives developers a taste of security processes and accountability. Security automation is a great solution to modern DevOps limitations, but it doesn’t solve every issue. Automation, if mishandled, can turn security into a black box that developers do not understand.

SAST addresses this issue by giving developers almost instant feedback on their code, helping them internalize security priorities as they code. The result is better coding practices and less time spent running code through an opaque tool that offers feedback without context.

Typically, SAST tools such as Klocwork are paired with dynamic application security testing (DAST) tools that validate API calls and other dynamic entities within code. Klocwork also goes a long way toward reducing the burden developers feel when initially working with SAST. 

It might seem cumbersome to receive instant inline feedback, but in the long run, SAST ensures more robust coding practices that result in better applications. 

Threat modeling

Threat modeling is a relatively new app design practice. It prescribes teams to visualize and model threats during the design phase, in collaboration with security teams. This might seem like a job for the architect, but developers play a critical role in the process.

At its core, threat modeling forces teams to figure out what they’re building and how it could all come crashing down. Data flow diagrams (DFDs) help developers and designers visualize how data flows and interacts with the infrastructure sprawl in the organization. This flow often reveals potential attack surfaces, leading to significant consequences for developers.

Traditionally, threat modeling was conducted using whiteboards, but modern organizations use software to map, create a DFD, and visualize threats. Tools like SonarQube help developers put their black hats on and visualize attacks on their systems.

To succeed in this environment, developers must therefore understand the role security plays as a differentiator in modern apps. It is no longer an add-on but a core functionality.

Software composition analysis

Software composition analysis, or SCA, is a critical part of the DevSecOps methodology. Modern apps have several external dependencies, and SCA maps them accurately. These dependencies extend beyond the data an external system provides. Often, third parties access internal systems, creating potential attack vectors.

For instance, a vendor might access a portal to register an invoice. This application might be far removed from critical functionality, but an attacker could leverage vulnerabilities in the third party system to inject malicious code into critical assets. Modern organizations must secure libraries and clarify their dependencies.

Platforms like JFrog make achieving this goal simple. However, these tools don’t work by themselves. Developers must examine their code for potential SCA-related vulnerabilities and rework them to ensure threats are minimal. 

At first, this approach will seem challenging, but over time it results in better code and a more robust security posture.

Regulatory compliance

In the past, developers in a few industries had to worry about compliance and regulations. These days, every developer must produce compliant code or risk serious consequences to their organizations. Regulatory codes are a jumble of anagrams, from HIPAA to SOX to GDPR.

Keeping pace with these changes manually is impossible. Given the massive risk non-compliance poses, RegTech is now a part of the DevSecOps pipeline, giving developers insights into potential vulnerabilities in code. Typically, developers fall foul of customer and prospect data usage.

Regulatory tools like Synopsis build compliance early in the SDLC, no matter the industry a company is operating in. Developers must become accustomed to revising code based on feedback from these tools, something most of them are unaccustomed to doing currently.

Compliance is a critical part of DevSecOps and will only rise in importance moving forward.

Developers must adapt

To succeed in modern organizations, developers must adapt to the DevSecOps culture and understand its core principles. While collaboration with security is one of its principles, DevSecOps goes far deeper than shifting security left.

The principles in this article should give developers all the information they need to succeed in this new environment.

Click here to view more IT Briefcase content!

Sorry, the comment form is closed at this time.