Automation is the key component of DevSecOps collaboration and optimization

In the world of software development, speed and security are often viewed as natural enemies: Development teams, under pressure to move ever faster, complain of security measures creating “friction” that slows them down.

But it doesn’t have to be that way. It’s possible to build high-quality software products, with security built-in, at the speed the market demands. It just takes automation—automated security testing tools and policies. While the human element will always be necessary, manual everything won’t cut it.

That’s the key takeaway from a recent survey by the SANS Analyst Program. The “SANS 2022 DevSecOps Survey: Creating a Culture to Significantly Improve Your Organization’s Security Posture” found that while it takes a significant, ongoing investment to bring together the three teams involved in building software products—development, security, and operations (DevSecOps)—”the benefits are well documented.”

Why should you care? For the same reasons you care that your vehicle is built with quality parts and safety features. Your safety is at stake. Today, software is embedded in every element of your life—even if you don’t create it, you rely on it.

And if that software contains vulnerabilities that criminal hackers can exploit, not only can it undermine all the conveniences software provides, it can also hurt you in multiple ways—financial, personal, and physical.

Indeed, it doesn’t really matter how cool and edgy a product purports to be if it doesn’t work as intended or isn’t secure.

That’s why it’s so important that those three teams work well together. There is a natural tension between Sec and DevOps that has been dissected at security conferences for more than a decade. The major pressure on the security team is what the name implies—to make the software in a product as bulletproof as possible. The major pressure on developers and operations teams though is speed—to get a product to the market before the competition does.

Developers have responded to that push for speed—deployments have increased exponentially over the past decade. Understandably, they don’t want anything to slow them down, and for years the perception has been that security testing does just that.

But security teams have been working just as hard to eliminate friction through automation. James Rabon, senior product manager with the Synopsys Software Integrity Group, noted that “automation is king, and the only way forward for DevSecOps.”

Fortunately, automation is available. Even better, 83.3% of survey respondents said they have “build automation.” And the percentage of respondents reporting that they consider “automated test coverage” to be a key performance indicator jumped from 28.4% to 45.1% in a single year.

Automated testing tools can conduct static and dynamic application security testing that, respectively, expose defects as code is being written and as it’s being run. Another tool, software composition analysis, helps developers find and fix known vulnerabilities and potential licensing conflicts in open-source software components.

Yet another automated tool, application security orchestration and correlation, can be configured to do the right test at the right time at any point within the software development life cycle, depending on the needs and priorities of an organization.

And policy-as-code lets the security team create digital guardrails that, among other things, prevent developers from getting overwhelmed with notifications about trivial defects.

All that helps eliminate the friction that can slow development. Indeed, finding and fixing defects early and throughout development is both much cheaper and much faster than doing it at the end.

Of course, there is always room for improvement, and the survey yielded a number of recommendations to help DevSecOps function more efficiently and effectively.

1. Cloud benefits and risks: SANS says cloud-managed services generally provide improved security and financial benefits worth exploring. But the report also notes that as organizations move toward using multiple cloud-hosting providers, “the work of securing each cloud environment increases exponentially.” Cloud security posture management software can help address that.

2. Be agnostic with tools: An organization’s testing policy should be able to work seamlessly with different tools and vendors.

3. Evaluate, evaluate, evaluate: It’s not enough simply to measure performance if you’re not measuring the right things. For example, tracking the number of open (as in, not fixed) security vulnerabilities is good. But it’s much better to track how many of those rank as trivial, severe, or critical.

All of which, as the SANS report concludes, can help organizations “focus on the path to DevSecOps excellence.”

To learn more, visit us here.