As CEO and co-founder of IOpipe, Adam Johnson works with both individual developers and engineering teams at global enterprises to get real-time visibility into the...by Steve Gross
May 1, 2019
Bjoern Zinssmeister is the founder and CEO of Templarbit, a security intelligence company that helps businesses establish a data-driven approach to AppSec. He shares his experience and thoughts about the future of DevSecOps in this blog.
Back in 2002 when I was a (very) junior programmer at a German enterprise software company I was lucky enough to be part of a small team that was building what you would now call a SaaS app. Up until now, the company had made all their profits by selling desktop software written in a language most people likely have never heard of: FoxPro. But instead of spending my days debugging FoxPro code, I was now green fielding JAVA web services.
Today, I realize that the company was ahead of its time because it had the foresight to realize that the future was web applications. But back then, this new way of building and shipping software was both exciting and scary. Many things weren’t figured out and one of the immediate concerns was security. The web wasn’t considered a terribly safe place and just a few years earlier, in 1998, we had the first public discussions of an SQL injection on the web, demonstrating how vulnerable a web-based system can be.
Because of this, we made an effort to ship secure code by establishing a security review process at the end of a release—a very isolated process that sometimes would uncover structural flaws that would set back development by weeks or months, leading to massive amounts of frustration.
I am glad things have changed since. Today, one of the most exciting trends that I have seen come and stay is DevOps, and its new iteration, “DevSecOps,” involves bringing security earlier into the application development lifecycle. Security teams are now encouraged to engage with developers earlier than before, allowing for a much tighter feedback loop. The primary goal of DevSecOps is to ensure that security is part of the development cycle and not just bolted on at the end as an afterthought.
With DevSecOps, dev and security teams are able to establish a shared view and language for evaluating risk. This approach also allows an organization to expand the radius of who is having a conversation about security rather than confining important decisions into the bubble of the security team.
Here are the three key benefits I think have the strongest impact for organizations when adopting a DevSecOps process:
DevSecOps has many other benefits, but enhancing a positive customer experience, fostering a security-minded culture internally, and active pushing automation for security tasks are some of the most impactful concepts DevSecOps can unlock for a company.
The journey of bringing security closer to the DevOps flow can start in many ways, but often it begins with the introduction of new technologies. These technologies are the glue between people and processes, and they also assist manual security review efforts while bringing visibility and performance indicators back to the team. I often recommend companies to start looking at the following technologies as their DevSecOps foundation:
With these four pillars in place, you can establish a basic foundation for DevSecOps that takes into account an app’s entire lifecycle. Firing off a static application security scan when new code is committed is a great step toward catching common issues early. Expanding this to also check for known vulnerabilities in open source dependencies is the natural next step.
Once the release gets promoted to production, make sure you have active monitoring and blocking capabilities with sufficient reporting. Ideally, this runtime monitoring will tie in to your real-time alerts to notify people who can act on the alerts. After all, having the right person instantly know about a high-severity security issue is a very desirable setup, one that emphasizes focus on your customers.
The future for DevSecOps is bright and establishing proactive security that focuses on the customer experience and anticipates data breaches rather than reacting to one is a shift many enterprises are investing in.
The benefits that DevSecOps delivers to these companies are numerous, including cost reduction, speed of delivery, executing compliance at scale, and the ability to foster a security mindset. Removing barriers between development, security, and operations continues to be an ongoing evolution, and new tools to help achieve this more effectively continue to emerge.
Over time, we will likely see tighter integration and orchestration between different security tools that are native to the DevOps toolchain. Runtime security vendors are embracing integrations with Slack, PagerDuty, and other real-time notification tools, and I believe that these integrations will get deeper and are going to allow better insights to be delivered to the right person faster.
Check out the PagerDuty – Templarbit integration here.