Shift Security Left through DevSecOps
Fusing application development with integrated, automated security processes
By Christian Lachaux, AABG Security Lead, Accenture; Federico Tandeter, Cloud Security Offering Development Lead, Accenture.
Accenture is a Premier APN Consulting Partner and AWS MSP who holds a number of AWS Competencies, including Migration.
Development+Security+Operations, better known as DevSecOps, is revolutionizing application development by integrating automated security reviews directly into the software development process. By 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing for custom code, up from less than 10% in 2016. 1
Agile, security-focused enterprises are now taking it to the next level by applying DevSecOps in a cloud environment, and many are doing so on the AWS Cloud, which emphasizes security as its highest priority.2 This further simplifies and accelerates application development by accessing cloud-based packaged security tooling and testing services via API calls. With this innovative method, CIOs can ensure that vital security testing is performed at each step of the software development lifecycle—seamlessly and at high velocity.
To support this approach, Accenture DevOps is working to incorporate DevSecOps into the Accenture DevOps Platform service—which we feel will have the dual benefits of making security both easier and quicker, while also making it more measurable and reliable. Additionally, the Accenture AWS Business Group (AABG) helps customers secure cloud deployments using AWS security capabilities and best practices, such as the Center for Internet Security (CIS) AWS Foundations Benchmark, augmented by third-party tools and Accenture services.
Make way for a new method
With agile or waterfall application development approaches, security testing is typically not part of the initial design process. Instead, it is performed as a final manual step on a completed package—which increases the risk of application release delays and compounds costs if issues found in security testing require reengineering or redesign.
Despite these concerns, some companies stick to the traditional methods, partly due to the perception that security testing slows the application development lifecycle or injects complex requirements too late in the process. In some cases, this has reinforced the rift between application development teams and security teams, even though both groups report to the CIO. Forward-looking companies can overcome this challenge through a shift security left approach, which introduces security at the inception of the development lifecycle and automates testing within the DevOps workflow.
Representing a windfall over more traditional methods, shift security left makes security an inherent part of the design and architecture of every software product. Using DevOps techniques–including automated provisioning, extensive monitoring, frequent testing, and continuous integration–application developers and security teams can collaborate in a streamlined and secure development process. Specifically, the DevSecOps process parallelizes component development and automates security testing to achieve an iterative, fail-fast model of continuous development and testing at the unit level and then final security testing of the completed package.
Security automation industrialized on cloud
CIOs can apply the versatile DevSecOps process to application development and security processes on-premises or in the cloud. However, we feel that cloud provides a clear benefit in two primary ways: first, by supporting programmatic testing; and second, by facilitating DevSecOps through pre-packaged services that use infrastructure as code to automate core security testing.
If a security issue is identified, the developer can address it on the spot, or if necessary, involve the proper security team member to provide a quick fix. The cloud-native environment with embedded security services makes it even easier to develop applications and conduct security testing at the functional and user level on multiple iterations.
Hyperscale cloud providers like AWS facilitate DevSecOps through the infrastructure as code, API-driven automation capabilities, as well as the services that enable DevSecOps—including AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy and AWS CodePipeline. (See this recent AWS technical blog for more detail.) Using packaged services like these, companies can expedite the DevSecOps process and then top-off with custom code for an enterprise-ready business process or customer-facing service.
Getting started with DevSecOps
Overall, DevSecOps leads to a more effective risk-based approach to security. Rather than deciding which security apps to apply to an environment, companies can assess where potential risks and vulnerabilities lie and solve them holistically. To reap the near-term and longer-term benefits, Accenture suggests that CIOs follow these steps:
- Start with a solid DevOps foundation across the development environment. Working with an external provider with strong DevOps experience can accelerate this process through education, training, and tooling.
- Foster collaboration between development and security teams to embed security in the design. Just as security architects are not necessarily developers, developers may not always be as current on the latest security threats and trends.
- Deploy continuous security testing built into the continuous integration/continuous development pipeline via automation. It will be critical to select the right security tools to support automated testing.
- Extend monitoring to include security and compliance by monitoring for drift from the design state in real time to enable alerting, automated remediation, or quarantine of resources marked as non-compliant.
To learn more about implementing DevSecOps into your company’s application development lifecycle, contact firstname.lastname@example.org or email@example.com. If you have any comments for us, please leave them in the comments section. We’d love to hear from you.
The content and opinions in this blog are those of the third party authors and AWS is not responsible for the content or accuracy of this post.
1 “DevSecOps: How to Seamlessly Integrate Security Into DevOps,” by Neil MacDonald and Ian Head September 30, 2016 ID: G00315283
2 For more information, see the AWS Shared Responsibility Model, which delineates AWS’s role in managing security of the cloud, and a customer’s role in retaining control of their chosen security tools to protect their content in the cloud.