Five Essential Steps to Shift Security Left (Episode II)
Continuing our 5 part series on DevSecOps, this week we explore Step 2: Integrate-As-You-Code.
An important step that many organizations are keen on, is the concept of integrating security into the continuous integration and continuous delivery process. Ideally, the best time to begin security monitoring isn’t at the end of development, but rather at the beginning – or at least as early as you can. This proactive approach is beneficial because it saves you two valuable commodities, time and money.
Another practice worth considering is that the coding standard that you have implemented for your business should be checked continuously against any new security recommendations. Additionally, any changes to code that is created must be verified and tested against these recommendations. Some of the benefits of this include, the ability to have identify risks in near real-time as well as allowing the line of business to fully understand the suitable risk approach they should employ.
The two main stakeholders of course, are developer teams and security teams. Developers are primarily focused on the speed of delivery to market sometimes at the expense of application security. Their security counterparts’ main concern, however, is how safe the application is. To the security team, delays in delivery are just a necessary precaution. So where is the balance? Ideally, application security should be done as a partnership with security defining what is acceptable and developers implement the testing and rectify problems as they arise.
In Step Two of 5 Essential Steps to Shift Security Left, Tim Jarrett, Director of Product Management at Veracode, provides tactical and practical best practices on how to integrate as you code including when in development to perform security testing. Check out the video to learn more and to put you and your business on the right track.