I’ve been pretty vocal lately about the need to shift security left and introduce it earlier in the development lifecycle. In fact, in a Dark Reading article I wrote toward the end of last year I proclaimed it’s time to not just shift, but race left. The point being, with DevOps teams constantly pushing to accelerate time to market, addressing application vulnerabilities reactively is a losing battle. Specifically, I said “if you are responding to issues more than preventing them you are behind the curve.” Consequently, bad things can happen—vulnerabilities can be missed and that can lead to breaches.
Of course, change is hard, especially when you have to rearrange cycles and redesign workflows. That’s why in the article I suggest making a clean break from the past. Take a little short-term pain for long-term gain. Insert static and dynamic application security testing directly into your DevOps workflow. Sure this creates more work early in the process, but it will undoubtedly save time by avoiding code being sent back to the development team if an issue is found later. That way, teams can finally start looking forward instead of backward.
Once you’ve decided to take the plunge and shift security left, you’ll need the right plan to make it happen at your organization. Unfortunately, these types of major changes can easily fall apart without solid planning—often because teams haven’t invested in the in-depth planning and testing at the beginning of the process. Having seen this transition happen successfully at several companies now, I’ve detailed four critical steps for transitioning effectively to a DevSecOps model in a recent article I wrote for DevOps.com.
You might ask, though, isn’t this move to DevSecOps incompatible with Agile?
Not at all. In fact, I made the case that DevOps and Agile can be highly complementary in an interview for this article in The Enterprisers Project. Agile and DevOps can work to the same end goal of maximizing opportunities for the enterprise to be responsive and innovative. Each methodology simply needs to be used appropriately.
In that article, I cast Agile teams as “special forces” in the development organization, highly focused and empowered to build applications quickly and efficiently. You can then think of DevOps as a bridge for teams to work collaboratively across departments, including application security. The idea is to flatten an otherwise complex organization and allow teams to communicate and share information via a simple Slack message instead of the traditional ticketing and provisioning process. The result is more speed, not less. And with AppSec built in, less rework and fewer vulnerabilities released into production.
Applications are the future, and securing them is a constantly evolving effort. I hope you’ll stay tuned to learn more on how you can shift left. And if you’d like to hear how Kenna can help your DevSecOps program, sign up for a demo today.
The post No Pain, No Gain: Why Shifting to DevOps Is Worth It for Your Organization appeared first on Kenna Security.