DevOps AppSec Conflict - 1

Software development methodologies are gradually changing with the progress of technology. In the Waterfall model, it was a serious problem that the requirements from the customers could not be communicated regularly to the software developers. Later, this problem was solved thanks to the requirement updates made with agile methodology. In this way, the dispute of customer wishes and software features have been resolved.

But there is another problem in Agile methods. The reason is that the operations teams always want the applications are up and running but, the development teams release a new version of the application in every sprint. This causes the operation teams to be dissatisfied with this situation.

The DevOps process solves these problems. The tension between the operation and development teams were resolved in this way by running the automated tests and deployment.

Cool, right? But most of the IT specialists don't care about security tests. Especially application security tests are not suitable for automated testing. That caused a contradiction with DevOps and AppSec.

Application security vulnerabilities can be found through static code analysis tests and penetration tests. All of these tests cannot be automated, and the DevOps process is damaged because of this.

So, the static tests should be performed in the phase of development. Periodically the software should be scanned to reveal the vulnerabilities before the automatic deployments. My personal opinion is, there is no silver bullet to find all the vulnerabilities in the DevOps process. But if we configure all testing platforms to be able to work in the development phase, we can assure the app for the critical and high flaws at least.

There are also other precautions like threat modeling meetings, secure coding training. We will enter these topics later in detail.