5 Features of a Successful DevSecOps Pipeline
With the DevSecOps movement on the rise, many are wondering what makes a good DevSecOps pipeline. What is the best way to build security into an existing continuous integration, continuous delivery, and continuous deployment pipeline?
Let’s take a look at five essential features of successful DevSecOps pipelines and analyze where security can benefit most.
1. Precommit hooks
Precommit checks are used to find common security issues before changes are committed into source code repositories. The use of precommit hooks is very powerful. They can help tedious manual tasks, increase productivity, and ensure checks are enforced every time. A good DevSecOps pipeline includes these checks with integrated unit tests, static code analysis, and code review to help update existing thread modelsand enable risk analysis to be performed incrementally.
2. Commit-time testing
At each check-in to the source code repository, it’s important to build and perform some basic automated testing of the application. These tests should run (and fail) fast in order to provide rapid results to developers. By integrating some quick static application security testing (SAST) tools to run a subset of your top vulnerabilities based on your risk assessment, you can provide fast, incremental feedback and empower development teams to remediate critical and high-risk issues.
3. Build-time testing and analysis
When commit-time checks are successful, your next step is to build the application and break the build with any failure. If the code compiles, you’ll want to rerun unit tests, a full SAST scan, and third-party binary analysis. In the event these quality gates fail, you’ll want to prevent code from being promoted until a developer inspects and resolves any issues.
4. Deployment checks
If your build is completed, it’s time to deploy the application to a test environment and perform pre- and post-deployment security checks. Testing post-deployment provides an ongoing level of assurance that operational and functional changes haven’t introduced new security issues. Unit testing in your infrastructure-as-code tool of choice and using it to force strong security configurations builds in security controls early.
Once provisioning and deployment checks are complete, it’s time to look into performing dynamic application security testing (DAST), fuzzing, performance and load testing, and monitoring of the system to provide a baseline and gain an understanding of what production should act and behave like. This is the last phase before production is released.
5. DevSecOps in production
If you’ve managed to make it this far and deployed in production, you’re not done yet. Log inspection and continuous monitoring are key components of your DevSecOps capabilities. Findings in this phase should be identified and fed back to development teams to change developer behavior.
When implementing security into your DevSecOps pipeline, it’s important to conduct these activities with purpose and not get stuck in a governance checklist. None of these elements is stuck in stone.
Automation is invaluable to reducing security risk and making it successful. Making such activities integral to each part of your pipeline ensures DevOps teams own the security of their application in the same way they own quality, development, and operations.