Please enable JavaScript to view the comments powered by Disqus. DevOps Embraces Security Measures to Build Safer Software





DevOps Embraces Security Measures to Build Safer Software



Last updated 23/07/2021

DevOps Embraces Security Measures to Build Safer Software

DevOps isn't just changing how developers and tasks cooperate to convey better programming quicker, it is likewise changing how designers see application security. An ongoing overview from programming robotization and security organization Sonatype found that DevOps groups are progressively embracing security computerization to make better and more secure programming. 

It's a well-known fact that conventional turn of events and operations teams see security controls as moderate and lumbering, and regularly search for approaches to sidestep the necessities in their hurry to get programming out the entryway. In any case, just 28 percent of respondents from associations with developing DevOps rehearses felt that security prerequisites hindered programming improvement, Sonatype found in its 2017 DevSecOps Community Survey. Truth be told, 84 percent of respondents from developing DevOps associations saw application security as a wellbeing measure, not an inhibitor to advancement.

“DevOps is not an excuse to do application security poorly; it is an opportunity to do application security better than ever,” said Wayne Jackson, CEO of Sonatype.

While about a fourth of the respondents to the online study—which incorporate developers, DevOps groups, IT chiefs, group leads, draftsmen, and assemble and operations engineers—considered security as a top advancement concern, that figure hopped to 38 percent among respondents who worked at associations with a develop DevOps culture. Those respondents said their developers invest a ton of energy on security. 

The unmistakable distinction in the importance engineers place on application security appears to rely upon how far along the association is on its DevOps venture. Similarly, as security will in general assume an increasingly noticeable job in associations with developing IT activities, a similar example is happening with DevOps. As engineers and activities get progressively open to cooperating to discharge better programming quicker, they are searching for different territories to improve. Creating more secure programming is the legitimate subsequent stage.

“Successful application security has been defined as increased automation that doesn’t slow down the development and operations process,” said Tyler Shields, vice president of Signal Sciences. “Imagine a scenario where developers embrace security rather than find ways to work around it.”

Among respondents, 58 percent of developing DevOps associations said they have computerized security as a component of their nonstop combination (CI) rehearses, however, CI isn't the main piece of the SDLC profiting by robotization. In the overview, 42 percent of respondents from developing DevOps associations professed to perform application security examination at each phase of the SDLC—beginning from structure and design, right to production.

Automation incorporates including security testing procedures, for example, fluff testing and programming infiltration testing during advancement and testing, just as security examination inside CI stages to distinguish when helpless code is presented. A few associations have mechanized the assessment of the open-source and outsider parts against a characterized administration strategy to keep helpless libraries from being remembered for code. 

The complexity that to the general reaction pool, where just 27 percent said they performed application security investigation at each stage. Forty-nine percent of respondents said they performed application security investigation during QA/testing, and 45 percent said preceding discharging into production. 

Some portion of the expansion in application security originates from the expanded spotlight on preparing. The review found that 85 percent of respondents from developing DevOps associations got some type of use security preparing to guarantee familiarity with secure coding rehearses.

But secure development within DevOps is less about blindly following required security practices and controls and more to do with thinking about making applications secure as part of daily practice, said Hasan Yasar, technical manager, and adjunct faculty at Carnegie Mellon University. Developers are encouraged to adopt an attacker mindset to look for vulnerabilities in their own code and to build software with a reduced attack surface. If the application is quick to deploy and restore, then developers can worry less about being hacked and more about preventing predictable attacks and quickly recovering from an incident.

“Software should bend but not break,” Yasar said. “This shift in thinking from a prevent to a bend-don’t-break mindset allows for a lot more flexibility when it comes to dealing with attacks.”

Another area where security can work with DevOps is in the use of runtime application self-protection (RASP) and next-generation web application firewall (NGWAF) technologies. RASP and NGWAF give security, operations, and development teams visibility into attacks and data at runtime.

“Automation of application security will democratize security data, breaking down silos between groups while helping the entire organization operate more efficiently,” said Shields.

While the review paints a blushing picture—particularly since DevOps still isn't as immovably settled in programming improvement as its promoters might want to accept—it despite everything makes a convincing contention that computerization makes it conceivable to incorporate application security apparatuses right on time into the advancement life cycle. On account of mechanization, vulnerabilities are discovered quicker and fixed before, which is less exorbitant than discovering them underway or during entrance testing. At the point when the tests become some portion of the CI/CD pipeline, code quality is higher, engineers are more joyful about what they are delivering, and security groups are fulfilled in light of the fact that security strategies are being followed.

“Building the right AppSec tools seamlessly into the DevOps loop—your continuous release cycle—means your IT delivery value stream operates faster, cheaper, and at high quality,” said Helen Beal, a “devopsologist” at Ranger4, a DevOps consultancy.

Security specialists have since a long time ago pushed incorporating security before in the lifecycle, and the overview discoveries show this is as of now occurring in certain associations. The overview shows that the fast pace of advancement and arrangement in DevOps isn't some way or another in spite of security and that associations have effectively figured out how to join the two.

Topic Related Post

DevOps Trends in 2024: The Continued Rise of GitOps, Data Observability, and Security
Building a High-Performing SRE Team: Key Strategies and Best Practices
Securing the Pipeline: Integrating Security into Your SRE Practices

About Author

NovelVista Learning Solutions is a professionally managed training organization with specialization in certification courses. The core management team consists of highly qualified professionals with vast industry experience. NovelVista is an Accredited Training Organization (ATO) to conduct all levels of ITIL Courses. We also conduct training on DevOps, AWS Solution Architect associate, Prince2, MSP, CSM, Cloud Computing, Apache Hadoop, Six Sigma, ISO 20000/27000 & Agile Methodologies.




* Your personal details are for internal use only and will remain confidential.


Upcoming Events


Every Weekend


Every Weekend


Every Weekend


Every Weekend

Topic Related

Take Simple Quiz and Get Discount Upto 50%

Popular Certifications

AWS Solution Architect Associates
SIAM Professional Training & Certification
ITIL® 4 Foundation Certification
DevOps Foundation By DOI
Certified DevOps Developer
PRINCE2® Foundation & Practitioner
ITIL® 4 Managing Professional Course
Certified DevOps Engineer
DevOps Practitioner + Agile Scrum Master
ISO Lead Auditor Combo Certification
Microsoft Azure Administrator AZ-104
Digital Transformation Officer
Certified Full Stack Data Scientist
Microsoft Azure DevOps Engineer
OCM Foundation
SRE Practitioner
Professional Scrum Product Owner II (PSPO II) Certification
Certified Associate in Project Management (CAPM)
Practitioner Certified In Business Analysis
Certified Blockchain Professional Program
Certified Cyber Security Foundation
Post Graduate Program in Project Management
Certified Data Science Professional
Certified PMO Professional
AWS Certified Cloud Practitioner (CLF-C01)
Certified Scrum Product Owners
Professional Scrum Product Owner-II
Professional Scrum Product Owner (PSPO) Training-I
GSDC Agile Scrum Master
ITIL® 4 Certification Scheme
Agile Project Management
FinOps Certified Practitioner certification
ITSM Foundation: ISO/IEC 20000:2011
Certified Design Thinking Professional
Certified Data Science Professional Certification
Generative AI Certification
Generative AI in Software Development
Generative AI in Business
Generative AI in Cybersecurity
Generative AI for HR and L&D
Generative AI in Finance and Banking
Generative AI in Marketing
Generative AI in Retail
Generative AI in Risk & Compliance
ISO 27001 Certification & Training in the Philippines
Generative AI in Project Management
Prompt Engineering Certification
SRE Certification Course
Devsecops Practitioner Certification
AIOPS Foundation Certification
ISO 9001:2015 Lead Auditor Training and Certification
ITIL4 Specialist Monitor Support and Fulfil Certification
SRE Foundation and Practitioner Combo
Generative AI webinar
Leadership Excellence Webinar
Certificate Of Global Leadership Excellence
SRE Webinar
ISO 27701 Lead Auditor Certification
Gen AI for Project Management Webinar
Certified Cloud Tester Foundation
HR Business Partner Certification
Chief Learning Officer Certification