dardize their deployment pipeline and therefore are
putting security into the position of maintaining the
integrity of many different types of pipelines. Secu-
rity should become a service provider and treat
development as a client. Its mission should be to cre-
ate a more secure pipeline to help the DevOps team
move faster. Development needs to be a source of
consistency and security needs to be valued as a
point of quality.
2. Do Not Rejigger the Organization –
Re-Allocate Tasks
You do not need to replace or reassign people to
implement a greater focus on security. Repurposing
people’s existing tasks is all you need to do. For
example, people who are normally doing just the
penetration test of an application might take on addi-
tional roles for static app security testing or dynamic
applications security testing. When an app is finally
released in a waterfall scenario, it gets pen tested. By
that time, potentially thousands of lines of code have
been written. In a more agile system, those security
personnel get the opportunity to shift left in the
development life cycle. Put mechanisms into place to
make lighter controls to ensure problems will not
exist when code gets released into production. It is
like using anti-aircraft guns instead of cannons.
Rather than having one big cannon trying to hit a
target, you take more shots at securing the app
earlier by using more organizational artillery.
3. Add New Tools
A lot of organizations do not take on app security.
They hope developers write code safely and do pen
testing; this is not application security. There are
more tools to leverage now, such as SAST, DAST,
IAST and RASP and third-party versioning tools and
pre-IDE code checkers. These tools have matured as
the space has become bigger. Larger organizations
are using them, but they should be employed more
widely to help DevOps avoid unnecessary delays in
the workflow.
Conclusion
Everybody wants pipelines to move quickly and efficiently.
Sometimes this happens at the cost of security, but it
doesn’t have to. Implementing security measures earlier in
the process does impose more controls, but these controls
are mostly automated. Therefore, security checks increase
but are earlier in the pipeline and process, making resolu-
tion clearer and quicker. Organizations need to open up to
the benefits they can achieve by shifting security functions
left along the pipeline. These moves can save organizations
time and trouble in the long run, helping them achieve their
original business goals.
FALL 2019 | THE DOPPLER | 51