The DevOps era brings together skyrocketing complexity with white-hot speed of delivery to create growing value and responsiveness in software design. Companies such as Amazon deploy code every 11 seconds, while Facebook executes 50,000 builds each day. With so much complexity and speed, the risk of security vulnerabilities slipping through the cracks is magnified intensely. As software development evolves, so must the software security program at every organization. Software security needs to help accelerate software delivery and not slow it down.
Is your software security program up to the challenge?Consider the people and workflows in your DevOps organization; does everyone have responsibility for application security? Asked another way, “Do your developers identify and remediate bugs in addition to creating code?” By integrating security into the entire software development lifecycle, enterprises can manage their business risk and guarantee secure software delivery at the speed of DevOps. As you start to integrate security into software development from the ground up, consider these areas to focus your time, resources, and investments:
- Build security into your DevOps workflows by enabling your developers to identify security vulnerabilities and address them in a workflow that mirrors the bug tracking and remediation process. This will cause less disruption for your developers.
- When planning security training consider dropping annual trainings in favor of ongoing security briefings and online tools. Shift training from one large training per year to small, ongoing trainings and in-context tutorials throughout the year, which will be more hands-on and more relevant to the needs of developers.
- On the technical side, look for software that can automate security testing and can be configured to match your DevOps tools and processes. You'll reduce overhead if you don’t need to have a separate workflow for running security scans. And, as with human training, rather than large, full scans of your software, look for a solution that can do fast scans of the incremental changes in code as well as large scans when necessary. When you do this, it will save time and avoid holding up developers waiting hours or over a day to receive security testing results.