Baking security into DevOps processes (via “shift left”) continues to be a challenge for many fast-moving shops, though some smart thinkers at JFrog‘s recent SwampUP virtual conference have a few ideas on how to make it happen.

The question of who owns security in the DevOps process goes back at least until 2012, when DevOps pioneers Gene Kim and Josh Corman suggested the term at the RSA security conference. Shifting the burden of securing their applications (“shift left”) seems like a big ask for employers who are already tasked with being full-stack developers, especially when they are ever more reliant on externally developed open source software libraries. Down the (virtual) hallway, security teams are busy keeping the networks, data, cloud presence and end points secure. Application security is pretty far down on their priority lists.

But DevOps, and DevSecOps by extension, is not just about tools, but also about the people and processes and governance, and the way we add security into the DevOps process has been flawed, argued Alyssa Miller, S&P Global Ratings business information security officer and author of the recently published “Cyber Defender’s Career Guide,” in her presentation at the virtual conference.

Traditionally, the approach security teams have taken is to set up gates between each of the steps in a continuous integration and deployment (CI/CD) pipeline, she said. Static analysis should be done when the code is committed, and the last step before the app moves to deployment is to do dynamic testing. If potential security weaknesses are found, then the application can’t proceed.

#development #devops #security #sponsored