White Paper

The CISO guide to DevSecOps tactics and tools

How to embed sustainable security tools and tactics in your organization

Download white paper

How to implement DevSecOps

DevSecOps enhances a software development life cycle by integrating security at every phase of the life cycle—design, implementation, testing, and deployment. The practice stands on two pillars automation and culture—both are necessary to implement DevSecOps and take advantage of all the benefits.

Augmenting DevOps with security practices requires tooling to automate and speed up software delivery. The same principle applies to security activities. Tools enable teams to automate repetitious tasks and make room for other meaningful activities (e.g., a security team chooses to automate penetration tests to allow more effort to be spent on threat-modeling activities).

For cases in which DevOps practices use infrastructure as code, DevSecOps analogously provides security as code. Employing security as code ensures:

  • Security controls are versioned since each is stored within the version control system.

  • Mutual acceptance of changes is done via peer reviews.

  • Accountability is demonstrable since it is clear who made an adjustment and when a change is made.

  • The risk of human error is reduced since the process of applying security controls has been automated.

  • Consistency is expected and configuration drift is eliminated because the same code is applied to different environments.

  • A higher level of confidence is achieved since the security code can be tested to verify its correctness.

Tooling and automation alone are not enough to safeguard the efficient incorporation of security into the software development life cycle. The way people cooperate and work together is an equally critical component to ensure a smooth process.

To augment and integrate DevOps with security, it is vital to:

  • Treat security as a shared responsibility. Strongly encourage a high-security mindset in development, operations, and security.

  • Share knowledge regularly. Security experts should conduct frequent knowledge-sharing sessions, help to configure the tooling, and promote best practices.

  • Encourage continuous feedback and improvement. Everyone should be vocal about discoveries, insights, and recommending improvements.

  • Embrace transparency. Open and timely communication is key to overcoming issues and blockers.

Continue to:Employing DevSecOps security automation tools and tactics