I recently had the opportunity to do a web seminar with Jeff Payne about using open source tools for DevSecOps. In our discussion, I made the point that the goal of DevSecOps is to make application security a first-class citizen in the DevOps process.
Making application security a first-class citizen improves the quality of your software and reduces the chance of a vulnerability in your software being exploited in production. Since much of the software we are creating these days is meant to live on the internet, security has become a primary concern for organizations that have valuable assets exposed as web-accessible applications and services.
The primary way to increase the prominence of application security is to shift left, meaning that you take the application security practices teams have traditionally waited to the end of the release cycle to perform, and do them throughout the development process.
Keys to Shifting Left
- Automating security testing and checks in your build pipeline.
- Enabling the development team to take on dealing with the results of the automated security testing.
- Making your security specialist the people that teach and champion security practices, with them teaching the development teams how to improve application security.
- Use application security practices from the start of the project.
We spent a good deal of time discussing how to use open source tools to help introduce application security practices into your development process and build pipeline. Open source is a good way to get started with minimal cost to acquire tools and very few limits on how you can use them. Bear in mind that commercial tools have some advantages as well. For some application security practices, your best choice might be a commercial tool.
Open source tools can take you a long way in improving the quality and security posture of your software. Most security tools can be used in an automated process and can be included in your build pipeline. The development team still needs to audit the security findings and plan remediation (dealing with the security issue) into their daily work.