The omnipresence of consumer electronics and computer power, alongside modern trends (i.e., DevOps, microservices, and open source) that accelerate deployment cycles continue to strain enterprises’ ability to detect and identify exploitable flaws in a timely manner.
While this creates significant increases in overall security risk, organizations that build security into the software lifecycle have better outcomes. To facilitate this, CSA’s DevSecOps Working Group defined the following six areas of focus that are critical to integrating DevSecOps into an organization:
- Collective responsibility: Everyone has their own security responsibility and must be aware of their own contribution to the organization’s security stance. Edge users and developers are not just “security-aware” but are the first line of defense.
- Collaboration and integration: A security-aware and collaborative culture is necessary for the members of all functional teams to report potential anomalies.
- Pragmatic implementation: Taking a framework-agnostic, digital security and privacy model that focuses on application development will allow organizations to approach security in DevOps pragmatically.
- Bridging compliance and development: The key to addressing the gap between compliance and development is to translate applicable controls to appropriate software measures and identifying inflection points within the software lifecycle where these controls can be automated and measured.
- Automation: Software quality can be enhanced by improving the thoroughness, timeliness and frequency of testing/feedback. Processes that can be automated should be, and those that can’t should be considered for elimination.
- Measure, monitor, report and action: For DevSecOps to succeed, software development and post-delivery results must be continuously measured, monitored, reported and acted upon by the right people at the right time.
“The security risks inherent in today’s intricate interactions between multiple technology layers, coupled with the globally interconnected and always-on nature of today’s applications, have been compounded by vulnerabilities lying dormant in systems, software, and hardware. The result is a field ripe for picking by malicious parties across the world,” said John Yeoh, VP of Research for the Cloud Security Alliance.
“This report should serve as a springboard for organizations wanting to address the challenges of today’s interconnected, rapidly changing security environment with increasingly shortened infrastructure and product life cycles.”