AppSec Decoded: How to implement security in DevOps

Steven Zimmerman

Feb 07, 2024 / 2 min read

Table of Contents

How to implement security in DevOps

AppSec Decoded: Three ways to Implement Security in DSO

In the world of software development, the need for speed often clashes with the need for security. The concept of DevSecOps aims to bridge this gap by integrating security practices into DevOps processes. In a discussion with Steven Zimmerman, a DevSecOps security solutions manager at the Synopsys Software Integrity Group, he explores the challenges and solutions related to implementing effective DevSecOps.

The perception that security testing slows down the development process is a common one. According to Zimmerman, this conflict arises when security is not planned or implemented correctly. However, he suggests that with proper planning and implementation, security can be seamlessly integrated into the development process.

How to implement security in DevOps

Cross-functional teams and security

Zimmerman's first recommendation is the formation of cross-functional team security efforts. Training quality assurance and development teams in security responsibilities can ensure that everyone plays a role in maintaining security. This strategy, which Zimmerman categorizes under 'organizational alignment', ensures that everyone has a seat at the table and that security becomes everyone's responsibility.

Frequent testing of business-critical apps

Zimmerman's second recommendation is more frequent testing of business-critical applications. He suggests that pipeline integration might be an effective mechanism to achieve this. However, he warns that improper or incomplete planning can lead to misaligned strategies, which can halt the development pipeline and break workflows.

Shifting left or shifting everywhere

The third recommendation Zimmerman makes is the adoption of a 'shift-left' approach, or more recently, ‘'shift everywhere'. This security ideology focuses on finding and fixing defects earlier in the development process, which can help developers be more efficient with testing, remediation and shipping code.

Fostering a security culture

Zimmerman stresses the importance of fostering a security culture within an organization. This includes both risk awareness and security expertise. He suggests investing in developer security training to build security capabilities within the development team. Not only does this help accelerate remediation, but it also helps to avoid the discovery of security vulnerabilities further down the development pipeline.

DevSecOps is more than just a buzzword; it's a necessary shift in software development culture. By planning and implementing security properly, fostering a security culture, and adopting practices like 'shifting left', organizations can ensure that speed and security go hand in hand in their DevOps processes. For more detailed insights, check out the Global State of DevSecOps 2023 survey.