How to Deliver on DevSecOps While Winning Support from the DevOps TeamPosted by Jeff Fairman
As an engineering leader for more than 20 years, I’ve experienced the journey from waterfall to agile to DevOps and now DevSecOps with my teams. While much has been written about the DevSecOps movement from the perspective of developer and security professionals, I aim to share insight from a DevOps practitioner point of view.
The goal of DevSecOps is to build automated security testing into the development process and catch and correct vulnerabilities early on. This saves time compared to the traditional approach of conducting security testing only after an application is complete, then having to go back and fix any vulnerabilities.
The Issue with Open Source
One approach to implementing DevSecOps is to use a collection of open-source tools such as Drozer, Frida, Mitmproxy, and Radare. The problem here is it takes significant experience to glue these tools together and use them effectively. Only larger companies are likely to have the money to invest in deeply skilled security analysts with the experience to pull it off effectively, and to give them the time it takes to do it.
We recommend using commercial products — including those that incorporate open source software —– because they remove complexity by integrating relevant features and functions into automated workflows. In short, that means you don’t necessarily need security expertise to use the tools.
What DevOps Wants
To be effective for a DevOps team, a mobile app security testing tool must meet a few requirements.
First, don’t introduce a separate toolset to the DevOps team. Rather, it should plug in to the tools they are already using. If the team uses a CircleCI or Jenkins server for CI/CD, for example, then the testing tool should be able to plug into CircleCI or Cloudbees Jenkins. That would enable the team to automatically run application security testing from within the CircleCI/Jenkins environment, rather than having to use a separate tool in a separate workflow.
Such integrations can take a couple of different forms. One is a plug-in for the DevOps tool that enables it to integrate with the testing tool. NowSecure, for example, offers plug-ins for CircleCI and Jenkins that enable users to make a simple call in order to run an app security test.
Another option is to have an API that enables the same sort of integration as the plug-in. The point is, it doesn’t require a fundamentally different user interface to look at assessment data or to run app security tests; these functions are instead embedded in the existing DevOps system and workflow.
Finally, the testing tool has to work well with other tools in the DevOps universe, such as issue tracking GitLab, Jira), communications (email, Slack) and vuln management (Archer, Brinqa, CodeDX, etc.). Take Brinqa or CodeDX, which many teams use to keep track of security findings and vulnerabilities across the organization. If an automated mobile app security testing tool finds a vulnerability, it has to be able to refer back to them to determine whether this is a known vulnerability and whether it’s already been remediated.
Without such a capability, imagine what would happen. The testing tool would find a list of vulnerabilities, take each one and send it to the relevant developer. Having a vulnerability management platform monitoring the status of all the vulns ensures from a security perspective they’re being addressed and not slipping through the cracks. That would be counterproductive to say the least; and certainly not what DevSecOps is meant to accomplish.
Clearing Up DevSecOps Misconceptions
NowSecure understands these requirements and what it takes to effectively integrate with a DevOps workflow to deliver on the promise of DevSecOps. And you don’t need deep security expertise to interpret the results NowSecure delivers. We’ve taken care of that legwork and make it easy to understand where each vulnerability is and how to fix it.
What’s more, we have the plug-ins and APIs required to make it easy to integrate well with Archer, Brinqa, CircleCI, CodeDx, Jenkins, Jira and a slew of other tools that DevOps teams use every day. It’s really not difficult to do at all.
No single tool will solve all your problems, of course. It also requires a commitment on behalf of the organization to address security issues, and to take action when a testing tool tells you its required. And as you’re undoubtedly aware, DevOps and security teams need to collaborate to address security issues.
Tools like those from NowSecure aid that effort by enabling DevOps teams to find and fix security vulnerabilities as they crop up as part of their normal routine, not at the last minute which in turn delays the release machine. It helps DevOps teams deliver mobile apps at scale, without sacrificing security. That’s what DevSecOps is all about.