In the SDLC, we had the habit of finding software bugs in the early stages of the software development life cycle. DevOps Practices accelerated the collaboration of Software Development and IT Infrastructure Teams. The idea of finding deployment-related bugs was missing quite long till the adoption of DevOps, and now we are experiencing an increased momentum in success full code deployment with this collaboration.
Today we all are living in an era where we give more importance to cybersecurity practices. Various tools and technics are available to find out a vulnerability in a software application and its related IT infrastructure. Those organizations that implemented ISO 27001 have a regular practice of conducting vulnerability assessment tests. As we started witnessing more security breaches due to insecure software codes, more security practices need to be adopted in the software development and deployment lifecycles. More precisely adoption of DevSecOps is the need of the hour.
Web attacks explode these days, and instilling security practices throughout the development and operations makes data breaches and software code-breaking difficult. Software Quality Assurance is also added with security practices, including the safe engineering practices in writing software codes for core sourcecode, Databases and User Interface. The best practice is to do a vulnerability test on the developed software code. Updating SDLC with all these practices will overall enhance the quality and security of the software code developed. The Open Web Application Security Project (OWASP) also provides recommendations for Application Security for software development. OWASP offer unbiased, practical, cost-effective information about application security.
It is interesting to see the six key pillars of DevSecOps promoted by the Cloud Security Alliance in their handbook. This is surely a good head start for organizations who want to consider DevSecOps.
Collective Responsibility: Security is a collective responsibility, and everyone must contribute to the security practices in the organization. The development team should have security-savvy developers.
Collaboration & Integration: Dissemination of knowledge across development, operation & security is the key to DevSecOps. Security can be achieved with Collaboration and Integration across the organization.
Pragmatic Implementation: Every software lifecycle is different in terms of its structure, processes and overall maturity, and there is no one set of tools that will fit all. The organisation’s responsibility is to identify its security needs and take a holistic view of the software lifecycle to choose a tool.
Bridging Compliance & Development: There is a gap between security compliance and software development. The key to addressing this gap is to identify appropriate controls, translating them to appropriate software measures.
Automation: Repetitive manual tasks of software quality checks can be automated for efficiency and reduce rework. Automation can control insecure software from being released to production.
Measure, Monitor, Report & Action: You cannot manage what you can’t measure. Post-delivery results of software development must be measured, monitored, reported, and acted upon by the right people at the right time to continue to make DevSecOps successful.
コメント