More companies are using DevOps and continuous delivery to accelerate software releases. While the added speed and agility help businesses keep pace with changing customer demands, some wonder whether DevOps and Continuous Delivery actually make software less secure than it might be otherwise. With Micro Focus, organizations can simultaneously improve speed and security as well as governance and compliance.
“Software is moving from conception to production in a matter of minutes, hours or days instead of months,” said Ashish Kuthiala, senior director at Micro Focus. “Nobody wants to release software that has security flaws because it can cost millions or billions of dollars in lost revenue, litigation and brand reputation damage.”
Companies that want to manage security risks more effectively can no longer do application security testing somewhere between testing and production. Instead, security practices need to shift left, so developers can minimize the number of vulnerabilities that seep into production.In addition, DevOps security practices enable security personnel to focus on the security of each iteration rather than daunting amounts of application code once every few months.
“For every 100 developers, organizations usually have 10 testers and one security expert,” said Kuthiala. “If you’re building security into your code, everyone is thinking about security at all times.” As recent security gaffes indicate, security has become everyone’s responsibility.
Improve security while coding
There are a number of tools, solutions, frameworks and processes that can be incorporated throughout the DevOps lifecycle to help secure code. For example, Security Assistant, a new feature in Micro Focus Fortify Static Code Analyzer (SCA), is an effective first line of defense because like a spellchecker, it checks code against known vulnerabilities in the frameworks as the code is being written. If a vulnerability is detected, Security Assistant automatically prevents the developer from committing the code, so the issue can be resolved swiftly while it’s relatively easy and cheap to fix.
“Security Assistant provides valuable feedback in context. Even if you fed the code into the pipeline, you’d be able to use Fortify for static code analysis or Fortify WebInspect for dynamic code analysis,” said Kuthiala. “If at any point, a security vulnerability is detected while the code is moving through the continuous delivery pipeline, the code will be kicked back to its origin so the issue can be resolved.”
Micro Focus ALM Octane provides another layer of protection. It provides full visibility into the status of code, including security vulnerabilities, who injected them, when, when the problem was fixed and how it was fixed. Such visibility is necessary for compliance in highly regulated industries; however, even companies in unregulated industries have mandates to improve application security, visibility and traceability throughout the application lifecycle. ALM Octane tracks the entire pipeline so the status of code and security defects are always known.
Many leading companies across industries use ALM Octane for the quality and test management of complex application portfolios in hybrid application development environments. It provides a single source of truth for enterprise governance and compliance regardless of the environmental complexity.
Businesses with DevOps and Continuous Delivery practices can’t get mired in version control details. And yet, version control is always necessary. “You can’t just have code moving through the pipeline without the appropriate controls in place. Every change that goes through the pipeline should be codified and version controlled,” said Kuthiala.
Organizations also need to think about security threats in broader terms. Quite often, code vulnerabilities are considered synonymous with hackers when insider threats can be even more dangerous. In addition to malicious internal actors, businesses face inadvertent threats from permissions settings that weren’t configured properly or have not been updated in a timely fashion. ALM Octane tracks those details so organizations ensure the right people have access to code.
“If you have the right tools in place and you’re integrating security throughout the application lifecycle, you have an opportunity to make your software more secure than it was before,” said Kuthiala. “DevOps doesn’t threaten application security, it fortifies it.”