PROTECT APPS FROM ADVANCED THREATS

Integrate Security into a DevOps Environment

Executive Summary

In many organizations, DevOps functioned separately from security. With the increased speed to develop and deploy, security controls are often an afterthought. However, the DevSecOps movement to include security sooner rather than later is proving to pay off.

WHAT IS DEVOPS?

DevOps is a set of practices that employs continuous integration processes by breaking down the silos between software development and IT operations.

Traditionally, many organizations separated teams by function in order to develop, deploy and govern applications within an infrastructure. However, the race to innovate and digitally transform a business has sped up the pace to produce and release new features. Security is often an afterthought, which reduces quality and makes for a lot of unhappy customers. Adding an application code change near the end of the development cycle is not only extremely costly (due to additional testing and re-certification), it reinforces the common perception that “security slows us down.”

As cycle times accelerate and development teams adopt more Agile methodologies to release software faster, continuous integration through DevOps aims to deliver more frequent releases, with more new capabilities to market, faster. It’s all about speed.

How to Integrate Security in Your DevOps Environment

Watch this webinar to learn how Advanced WAF helps keep pace with the evolution and sophistication of attacks while keeping pace with the speed of modern application development.

Read the article
Watch the Secure DevOps Webinar 

The goal of continuous integration is to deliver more frequent releases with more new capabilities to market, faster. It’s all about speed.


HOW DO YOU INTEGRATE SECURITY INTO DEVOPS EARLIER?

Using security best practices early in the software development lifecycle can create dramatic positive effects on cost and efficiency. However, within many organizations security teams continue to exist in a silo—just as development and operations teams operated in silos prior to the DevOps movement. Because of this, an even newer movement has arisen that infuses security into the continuous integration/deployment process: DevSecOps.

The DevSecOps movement’s increasing popularity is due in large part to a methodology called “shifting left.” “Shifting left” is where software development teams focus on robust code from the start. This method moves security away from its reactive role as gatekeeper and more toward a preventative role. Security teams provide guidance and support for development teams and build security automation into the Continuous Integration/Continuous Delivery (CI/CD) development pipeline sooner rather than later.

In a DevSecOps environment, security is a shared responsibility that builds far greater collaboration and feedback, breaks down the barriers between development, operations, and security, to get features to market faster with lower cost and higher efficiency.

5 WAYS TO INCREASE SCALE AND EFFICIENCY

Even with security as a shared responsibility, security teams can’t expect developers to instantly become security experts and make the right security control decisions the first chance they get. Just like DevOps, DevSecOps is a philosophy that requires cultural change in the way applications are developed and deployed. However, if security teams focus on the five areas below, they can lower cost, increase efficiency, and improve ability to scale:

 



01

SHIFT LEFT
and build security into the process as early as possible in the development lifecycle.


02

MAKE THE SECURE PATH THE EASY PATH
by focusing on delivering packaged, frictionless security controls that are built into the developer’s (CI/CD) pipeline.


03

BREAK DOWN SILOS
to increase collaboration and feedback between development, operations, and security teams (App Devs, DevOps, and SecOps).


04

NURTURE SECURITY CHAMPIONS
within your development teams to keep security top of mind.


05

CREATE A BUILD PIPELINE
to build security controls and testing in the same tool the developer uses. This way, controls are applied automatically and consistently, and development teams don’t have to depend on security teams for every new release.
 

SECURITY CONTROLS FOR DEVOPS

The earlier that security requirements are addressed in the software development lifecycle, the lower the cost and impact to the business. Research suggests that software bugs are approximately 5 to 10 times less expensive to fix during the software development lifecycle than if you wait until production. Additionally, any modification to code can introduce other bugs or security vulnerabilities.

Mitigating controls, such as F5’s Advanced WAF, and automated test cases can be built into the continuous integration and continuous delivery pipeline consistently across the lifecycle of applications, from development to production. This allows you to test for vulnerabilities at code commit and deployment. Also, with security test automation you can incorporate abuse-test cases and attempts to exploit system vulnerabilities to confirm that your infrastructure is identifying and blocking those attempts. This ensures you can defend against known, unknown, and advanced vulnerabilities and threats to the application while minimizing false positives.

Addressing every vulnerability at the release cadence required of today’s DevOps teams is impractical. Development teams should be pragmatic and focus on the highest exposures. As for the rest, F5’s Advanced WAF can help control the risk associated with the remaining known and unknown vulnerabilities, in part through automation with Dynamic Application Security Test (DAST) platforms.

Advanced WAF can also help control highly challenging advanced threats, such as application layer distributed denial of service, credential stuffing, man-in-the-browser credential stealing, and threats to APIs and mobile applications. Your security team can offer these capabilities as security services that can be consumed without friction by DevOps teams.

See how you can integrate Advanced WAF into your CI/CD pipeline, by receiving our free Super-NetOps Training and choosing Class 3.

DISCOVER MORE

Product

ADVANCED WAF

Protect your apps with behavioral analytics, proactive bot defense, and application-layer encryption of sensitive data.

Solution

Web App and API Protection

F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.