Take a shift-left security approach across all phases of the SDLC.
In the Modern Software Factory, organizations are transforming their culture, processes and tooling to accelerate the delivery of mission essential applications. Queue DevOps, the integration of development and operations to speed time to market, enhance customer experience and improve operational efficiency. Specifically, DevOps revolves around agile development, continuous testing, continuous deployment and agile operations. Often employing a toolchain, DevOps enables organizations of all sizes to build, test, operate and deploy software code more rapidly, including to the mainframe.
DevOps methodology integrates both Development and Operations experts into a team that focuses on the application, rather than the system. This focus requires streamlining tooling and improving collaboration across the enterprise, but also raises the question: where does security fit into the DevOps lifecycle? The simplest answer, security needs to be everywhere in DevOps, just as it is in all modern IT. Baking security into every aspect of design, development and deployment helps ensure that security is built, quite literally, into digital applications from the outset
Consider Gene Kim’s 3 underpinning principles of DevOps: systems thinking, continual experimentation, and in particular, feedback loops. Feedback loops in the SLDC bring development, operations and security experts from respective teams together, working as one, as opposed to traditional silos. This approach more easily embeds security principles throughout application designs and team behaviors, safeguarding against external threats, removing internal threats once identified, and improving the trust between teams as they iterate code and processes agilely.
Welcome DevSecOps, the integration of development, security, operations and the mainframe working together as one.
Here are some quick ways to begin your DevSecOps journey today:
- Security Principles: Before even writing the first line of code, it is important to understand the security standards in your company and industry, and ensure that core requirements, and a security mindset, are incorporated into the design, and team. For example, API key security, limited privileged access, data encryption, user password rules, network design, physical security and more all play a part in in application design from the start
- Code Scanning: Once code creation is underway, it is critical that the team incorporate code security scanning, dependence scanning, and design code with security principles in mind
- Consistent Builds: Incorporate automated build, which not only increases speed and repeatability, but reduces potential security exposing errors that unfortunately can creep into manual builds
- Security-Oriented QA & Testing: Automated testing is a critical best practice, but be sure to add security code scans, penetration testing, vulnerability testing, and data security practices reviews to the mix
- Security Best Practices: As the team proceeds to packaging their tested and approved code, security best practices mean using trusted modules, documenting the provenance of 3rd party components, and finally conducting a threat model of the software to understand the underlying assets, entry points and trust level required for the software
- Identity Management: As the software moves onto Deployment, it becomes critical to ensure the the correct identity management is in place, including understanding and assignment of privileged access, users and API keys as well as associated, trusted servers
- Ongoing Security Tune-Ups: Once the software is deployed and in production, ongoing vulnerability testing, penetration testing, and best practice configuration settings should be constantly evaluated. The threat modeling at the Packaging stage will help guide the team to understand when patches and updates are important for critical software
- Access Management: Finally, ongoing monitoring of access and user behavior is a critical security practice to ensure credentials are not misused or stolen, threatening critical and sensitive data access
The latest DevSecOps research shows 62 percent of IT pros said that application security is very important to their development teams, and that 45% say DevOps increases productivity and speeds development. In addition, the time taken to deliver code can be reduced from months to weeks leveraging DevOps principles. As the next-generation mainframe continues to transact the most business critical applications, DevSecOps is a must to provide quick access, seamless experiences, and robust protection.