Software development process has moved from the Waterfall model to the Agile model.
Then came our favorite DevOps, and has accelerated the velocity with which products are being developed and deployed to customers.
And at the same time, faster go to market and “Everything Digital” approach has brought more vulnerability to cyber threats. While we implement a strong DevOps practice, we need to ensure that the applications we develop and deploy are secure.
For security to work and to move fast, it has to be an integral part of the continuous development, integration, and deployment process. It should not be considered an optional extra, or something that we get around to when we have time and budget.
The catch is that, as DevOps moves fast, security should also move faster. If security checks are not sufficiently automated, the DevOps cycle will either get slow or security hygiene will suffer.
So, how this can be achieved?
Build security into the tools that exist in the DevOps pipeline.
Usage of Static Code Analyzers (SCA) like Fortify & SonarQube is the second step towards the automation of security in the DevOps cycle.
Third step is to automate the remediation of the security issues reported by the Static Code Analysers.
Manual fixing of the security vulnerabilities used to work ok when the release cycles used to be of 4-6 months or even longer.
But now with the increased adoption of Agile, the release cycle has shrunk to sprints of 2-3 weeks.
Now you can’t wait to perform the security checks after every few months, as this increases the risk of attackers exploiting weaknesses in the application.
Security supported by automation is going to be the next big thing. New innovations will have to be built to reduce risks continually and help businesses perform faster deployments safely, and securely.
So let’s keep exploring ways to implement security in people, process and tools in DevOps, and make your DevOps implementation secured !!