DEVOP + SECOPS Part 3: Continuous Security in Action
There is a natural tension that can occur between security and application development within a company.
Application developers are typically under pressure to release new features and constantly complete business requirement changes. But often, a business' desire to see progress in features and functions can come at the cost of improvements to existing backend code through a process of refactoring. Good secure coding practices—which are invisible to the end-user—are often abandoned in favor of a quick turnaround.
On the other side, security operations have the difficult task of understanding all the risks to the environment, and then monitoring and managing that risk. When applications are updated, the security operations team needs to assess any new risk that may be introduced. Ideally with every new release of an application, security operations should be validating the new code and ensuring they can monitor and manage the risk.
But as software development moves away from traditional waterfall (with long release cycles) and moves toward agile or scrum—where developers push code to production weekly—it can make it almost impossible for a security operations team to keep up if they are not properly engaged in the application development cycle.
Enter Continuous Security—the addition of security assessment practices into the devops workflow in two simple steps:
- Step 1: Incorporate an automated application security scanner into your build automation system used for continuous integration of code and automated quality assurance.
- Step 2: Add a manual security analysis to your post-build approval process to allow review of the scanning results and further pen testing of the application if desired.
