Shift Left, Save Resources: DevSecOps and the CI/CD Pipeline

Originally published by CXO REvolutionaries.

Written by Gary Parker, Field CTO - AMS, Zscaler.

Reaching the final phase of the software development lifecycle only to discover a significant security flaw is a waste of time, money, and effort. That’s why integrating security checks into the continuous integration, and continuous delivery/continuous deployment (CI/CD) pipeline has become a best practice for cloud deployments today.

Whenever multiple teams of developers are collaborating on the same project – a core benefit of cloud computing – the CI/CD pipeline is responsible for making sure that their code changes don’t conflict (i.e., “break something”) and are deployed successfully.

Automating this process, as is standard in modern DevOps, reduces the chances of human error. This is because tests can be created in advance, and you can be sure all tests are performed correctly, all of the time.

Weaving security checks more tightly into that automation process gives rise to a DevSecOps culture (notice how security is now nested neatly into our portmanteau?). DevSecOps is part procedure, part philosophy. Its ultimate goal is to infuse security into every phase of the software development lifecycle (SDLC). For it to truly take root, every employee within an organization must buy into its basic principles, starting with the top.

The term most often used to convey this emphasis is a “shift-left.” It refers to integrating testing earlier in the SDLC than had historically been the case. Rather than adopting an additional set of procedures, organizations committed to DevSecOps elevate security to become part of their development culture. That means secure development must be prioritized from the top down and, at every stage of the SDLC.

This all sounds well and good. But since DevSecOps isn’t a tic-box or off-the-shelf solution, it can be difficult to determine where your organization stands. For CXOs looking to develop a better understanding of their own IT department's approach to DevSecOps, I recommend answering the following sets of questions:

If your organization is still on the path to DevSecOps:

• Is your DevOps program formalized with written procedures, responsibilities, and assigned roles? A lack of coordinated effort can lead to duplication of effort, or worse, missed processes.
• If you have implemented a DevOps program, have you formalized a plan to progress to DevSecOps? Strategically planning your progression to DevSecOps ensures the three teams are coordinated and everyone is pulling in the same direction.
• Does your security organization have regular meetings with the development team? Coordinating activities is a priority for DevSecOps. Many processes can be automated, but if the teams are not meeting, new threats and attack methods may not be communicated.
• What, if anything, is preventing you from integrating security into your development procedures? There are a few reasons why companies struggle with integrating security into their development programs. These inclede understaffing, competing strategic priorities, or a lack of understanding the “why” behind security integration.

If your organization has DevSecOps in place:

• What tools have you implemented into your CI/CD pipeline? Today there are numerous products and platforms that allow you to automate most of the CI/CD pipeline. These tools can perform automated vulnerability scanning all the way to code review. Most provide approval processes as well.
• What training efforts do you have in place to ensure developers understand the potential security risks of their code? Developers are often unaware of how their own code or integrated open source code can affect the security of the overall build. Security training, whether you move to DevSecOps or not, is critical for developers. Onboarding training followed up by annual reviews should be required for all developers.
• Do you have executive requirements for coordination between the security and development teams? Obviously, when implementing an enterprise-level program, executive or senior management sponsorship is vital. Stressing the importance of security integration from the top makes it a priority for the security and development teams.
• Do you have a security review built into your development lifecycle to ensure code is scanned and approved before deployment? If you’re not moving to a complete DevSecOp program, at the minimum, your development program needs to incorporate a security review into the CI/CD pipeline. Without the automation tools this can be challenging, but knowing the risks associated with your applications before you put them into production will prevent future issues.

Graduating from a DevOps shop to DevSecOps shop should be a priority for today’s IT departments. The CI/CD pipeline allows developers to go from pushing new code once a weekend off-hours to doing so multiple times per day. In a cloud-first world, users have come to expect such a pace. But without the proper security protocols in place, each instance represents a new opportunity to introduce a security flaw.