In the wake of high-profile data breaches and severe operational flaws like those exploited by WannaCry and Petya, it’s become clear to developers that security needs to be much more than a tacked-on feature — it needs to be an integral part of the development process from the beginning.
1. Consistently Monitor Your Processes
Even the best planning misses something, which is why proactive monitoring is extremely important. Set up data exfiltration policies on your firewall and in your application to monitor for sensitive patterns like credit card numbers; or, use a “canary in the coal mine” by adding a fake account with a unique name to watch for. Now you can block and trace serious issues before they make headlines. – Jason Gill, The HOTH
2. Incorporate Threat Modeling Into DevOps
Security should not be a bolt-on function or a step in the DevSecOps workstream. Security should be carefully factored into DevOps through threat modeling for each project. Threat modeling is a procedure for optimizing security by identifying objectives and vulnerabilities and then defining countermeasures. This exercise propagates security awareness and risk identification. – Danny Allan, Veeam Software
3. Understand Where To Allocate Your Time And Resources
Knowing where to focus your likely very limited resources is key, and can be tackled by performing application risk assessments and threat modeling. By better understanding where your product or service may have unacceptable risk exposure, you can focus your time and resources appropriately. – Vijay Bolina, Blackhawk Network
4. Get Senior Leaders Involved
As with any collaborative endeavor that brings together people from different backgrounds, experiences and outlooks, it’s important to acknowledge the possibility of conflict up front and deal with it head-on. Senior leaders should be involved to explain why the DevSecOps ethos is so vital to the company’s future, and hold everyone accountable for advancing its success. – Todd DeLaughter, Automic Software, owned by CA Technologies (NASDAQ: CA)
5. Incorporate Security Tests Into Your Boot-Up
One of the most effective ways to embed security into software is to initiate the security on boot-up. When a user restarts their device or software, the manufacturer should run a series of boot tests to determine any changes in the software and that the software is entirely authentic. Additionally, there should be warnings to users to reboot so the tests can be conducted frequently. – Maria Clemens, Management and Network Services, LLC
6. Security Must Follow The Dev Cycle To The End
Bring security to the table as part of the DevOps process as an equal player. Some might push back and say that security slows agility, but with the proper toolchain integration, this is no longer an issue. One example is automating the scanning of docker images for security gaps and vulnerabilities, and promoting the image to the next step in the development cycle based on certain thresholds. – Dr. Rao Papolu, Cavirin Systems
7. Foster A Culture Of Security From The Top Down
Security cannot be an afterthought or a line item on a Gantt Chart. It has to be injected into a company’s culture of development and communication from the top down. Building out an organizational culture based on high trust will be the key to success. Everyone must have the mindset that they are individually responsible for security. – Leon Hounshell, Greenwave Systems