Topics In Demand
Notification
New

No notification found.

Continuous Application Security with DevSecOps
Continuous Application Security with DevSecOps

October 27, 2021

357

0

The ability to distribute apps at the pace of business has become important in today's digital world. Fortunately, DevOps made this possible by bringing business, development, and operator teams together and using automated processes to streamline the application development lifecycle.

Enterprises can face challenges in developing secure applications, however, because DevOps and security processes are frequently unconnected. The importance of security is often overlooked when companies move from DevOps to developing applications more thoroughly.

Moreover, the task of securing applications is often assigned to the security team, and most problems are identified only during the testing phase. This approach cannot keep up with releases without stopping the development process. The delay will result in delays in time-to-market, underutilized resources by developers, and lagging behind in vulnerabilities.

Recognizing this DevOps security conundrum, many forward-thinking companies are turning to DevSecOps methodologies to help integrate security into the application development lifecycle.

DevSecOps - Tune Application Security

By implementing DevSecOps, organizations are able to ensure ongoing application security as part of their DevOps processes. Security will be strategically deployed at every stage of the Software Development Life Cycle (SDLC).

DevSecOps methodologies enable enterprises to apply left-shift techniques to incorporate security controls early in the SDLC. This helps detect application security flaws early in the SDLC, thereby enabling DevOps teams to quickly and efficiently remediate software vulnerabilities.

Let's dive into the details of how to incorporate security into the application development lifecycle:

In the development, testing, and production phases of application development, organizations must ensure security. The integration of security should, however, be seamless enough to avoid unnecessary friction in the DevOps workflow and continuous integration / continuous deployment (CI / CD) processes.

There are many ways to continuously integrate application security. Here are six key points for effectively integrating automated security testing into the development lifecycle:

Project overview: the hope for security when business goals are developed along with outstanding tasks and sprints.

Code Review: Empower developers and operations teams to address security issues. Create a safe coding checklist/pattern to help developers identify common and recurring issues.

Pre-commit or checkout queries: Implement static application security testing (SAST) and software composition analysis (SCA) during pre-commit or checkout queries. This will help you find problems with your code.

QA Integration: Include processes such as SAST, SCA, and Dynamic Application Security Testing (DAST) during the QA phase. As a result, the DevOps team is able to identify vulnerabilities with high confidence and high severity.

Accept a production environment: Deploy DAST at this point to discover potential production vulnerabilities. SAST and SCA are also required at this stage.

Manufacturing: Continue testing with the production-safe DAST even after release. Production-safe DAST enables DevOps teams to identify production vulnerabilities without affecting application performance. Moreover, security technologies such as Web Application Firewall (WAF) and Application Runtime Self-Defense (RASP) must be implemented to secure running applications.

Integrating SAST into the application development lifecycle helps organizations realize the potential benefits. According to WhiteHat research, after implementing SAST, enterprises have reduced troubleshooting time by 25%.

SAST combined with DAST reduced production vulnerabilities by 50 percent when compared with DAST alone. Automating all six of the above integration points is a prudent way to achieve cost-effective security.

 

Application Security with DevSecOps

Source - Veritas

 

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


We started with the belief that business problems can be solved with intelligent, modern technology intervention. Since our inception, we have continuously evolved, experimented and innovated by testing the limits of the ingenuity that technology can enable. Building great products is intertwined in the roots of our organization and part of our DNA. Our journey has been of continuous learning and progression. Starting with Mobile and Cloud, User Experience, Data analytics BigData and IoT integrated solutions, to scalable web solutions governed by DevOps platforms and based on Microservices & Microfrontend architectures. Rather than sticking to single technology, we have always had the vision to adapt, master and embrace new-age technologies, tools and frameworks.

© Copyright nasscom. All Rights Reserved.