Integrate Security into your DevOps Practice
With the recent rise in Cyberattacks across various layers of SDLC, it has become the need of the hour to make “Security” a feature rather than just a checkbox in annual audits.
We understand it can be challenging to inculcate the new habit in your existing workflow. This is where the leadership steps to develop a culture of security as a shared responsibility. Here are some of the tips to smoothly integrate “Security” into your CI/CD workflow.
Secure before you code
Snyk does a great job at promoting “Shift Left” ideology by offering different stages to check the code for vulnerabilities.
The earliest stage is the developer’s laptop. It provides rapid feedback and does not allow vulnerabilities to reach the actual source code repositories. These scans can be done locally using IDE plug-ins or pre-commit hooks. This can alert developers if their code or a third-party library or package contains a potential security flaw
Automated governance
Organizations can implement policy as code (Open Policy Agent is one example) to enforce and document the usage of approved software security scanners. This has the benefit of standardizing the use of scanning tools while also making it faster and easier to pass compliance audits.
Invest in Workflows
What happens when a new vulnerability is detected? What is the process for requesting and tracking a security exemption? How do you inform other teams of security exemptions?
Define workflows which is based on the priniciple that “Every detected vulnerability should have an associated Jira ticket” whether it is a false positive. Set up weekly Syncs to go over these tickets
SBOM
A software bill of materials, often abbreviated as SBOM, is a complete list of all software components used across an organization. The software bill of material list is made up of third-party open source libraries, vendor provided packages and first-party artifacts built by the organization. An accurate inventory of all components enables organizations to identify risk, allows for greater transparency, and enables rapid impact analysis
.