What's Next For DevSecOps
Due to their importance in modern application architectures, building secure APIs is crucial. Security cannot be neglected, and it should be part of the whole development life cycle. Scanning and penetration testing yearly are no longer enough.
DevSecOps should join the development effort, facilitating continuous security testing across the entire software development life cycle. Your goal should be to enhance the development pipeline with security automation, but without impacting the speed of development.
In case of doubt, stay informed, and refer to the DevSecOps Manifesto.
|Understand the Threat Model
|Testing priorities come from a threat model. If you don't have one, consider using OWASP Application Security Verification Standard (ASVS), and the OWASP Testing Guide as an input. Involving the development team will help to make them more security-aware.
|Understand the SDLC
|Join the development team to better understand the Software Development Life Cycle. Your contribution on continuous security testing should be compatible with people, processes, and tools. Everyone should agree with the process, so that there's no unnecessary friction or resistance.
|Since your work should not impact the development speed, you should wisely choose the best (simple, fastest, most accurate) technique to verify the security requirements. The OWASP Security Knowledge Framework and OWASP Application Security Verification Standard can be great sources of functional and nonfunctional security requirements. There are other great sources for projects and tools similar to the one offered by the DevSecOps community.
|Achieving Coverage and Accuracy
|You're the bridge between developers and operations teams. To achieve coverage, not only should you focus on the functionality, but also the orchestration. Work close to both development and operations teams from the beginning so you can optimize your time and effort. You should aim for a state where the essential security is verified continuously.
|Clearly Communicate Findings
|Contribute value with less or no friction. Deliver findings in a timely fashion, within the tools development teams are using (not PDF files). Join the development team to address the findings. Take the opportunity to educate them, clearly describing the weakness and how it can be abused, including an attack scenario to make it real.