As Figure 1 shows, each area of an organization’s DevOps practice can integrate security into its existing design, deployment and operational tooling and practices by starting with three things: a shift-left mindset, security by design and zero-trust architecture.
Shift-left mindset: Think about and identify security issues early in the software development process, based on the principle that the sooner a vulnerability is identified, the cheaper it is to remediate.
Security by design: Build on the shift-left practice by assuring that security features are built into the application or service at the design stage, rather than bolted on later.
Zero-trust architecture: Assume that hackers can access all parts of the network (internal and external) and put in place mechanisms to thwart this intrusion, such as data encryption, identity-based access controls and minimal service exposure.
Figure 1. How Cybersecurity Applies Across Artifacts, Pipeline, and Target
These concepts are all very healthy for an organization to adopt, but to keep pace with the demands of rapid software releases and increasingly complex infrastructure, a heavy investment in security tooling and automation is necessary.
While the tooling and automation investment needs to happen through all stages of the software development lifecycle, the more we invest in tooling that is closer to the developer (shifting left), the greater value we see in both risk reduction and increased speed of delivery.
In short, supporting your developers with the means to identify security risks earlier in the process means supporting your organization’s long-term ROI.