For DevSecOps to run efficiently, your team should consider the following:
- Automation makes sense: There are several security controls, checks and balances that need to be applied at each stage of the development and deployment process. Automating these checks reduces the risk of errors and keeps the system running smoothly.
- Know your infrastructure: To implement security best practices, your team must have a sound understanding of the threats that it faces. Model your infrastructure and map out the threats that it could face. Consider which activities are 'high risk' in terms of data and network security, and plan tests around those.
- Find problems early: DevSecOps is focused on making security a part of the workflow. The sooner problems are found, the sooner they can be fixed.
- Trust no one: Using a zero-trust policy in your IT systems and networks reduces the risk of intruders gaining access to your systems, and also helps to reduce the risk of malware propagating inside the organization's systems.
Modern applications are vulnerable to attack from many avenues. Not only are most company networks now connected to the Internet, there is the issue of BYOD policies meaning that unknown devices are allowed to connect to those sensitive networks. In addition, there are other cybersecurity threats, such as the ever-present threat of complacent users and social engineering.
Another common attack vector is your application's API. According to research performed by Akamai, 83% of web traffic today is API traffic. Does your development team properly vet all API requests? Yes, APIs glue applications together, but calls to your API cannot be naively trusted.
Developers should be implementing security as standard in every single piece of their code. This means sanitizing input, verifying all calls, and embracing the idea of policy as code.
When implemented properly, DevSecOps can save developers, operations, and QA workers time and effort, and will help to create better and more robust systems in the long term.