DEVOPS APPSEC CONFLICT - 1

DEVOPS APPSEC CONFLICT - 1

Software development methodologies are gradually changing with the progress of technology. In the Waterfall model, it was a serious problem that the requirements from the customers could not be communicated regularly to the software developers. Later, this problem was solved thanks to the requirement updates made with agile methodology. In this way, the dispute of customer wishes and software features have been resolved.

But there is another problem in Agile methods. The reason is that the operations teams always want the applications are up and running but, the development teams release a new version of the application in every sprint. This causes the operation teams to be dissatisfied with this situation.

The DevOps process solves these problems. The tension between the operation and development teams were resolved in this way by running the automated tests and deployment.

Cool, right? But most of the IT specialists don't care about security tests. Especially application security tests are not suitable for automated testing. That caused a contradiction with DevOps and AppSec.

Application security vulnerabilities can be found through static code analysis tests and penetration tests. All of these tests cannot be automated, and the DevOps process is damaged because of this.

So, the static tests should be performed in the phase of development. Periodically the software should be scanned to reveal the vulnerabilities before the automatic deployments. My personal opinion is, there is no silver bullet to find all the vulnerabilities in the DevOps process. But if we configure all testing platforms to be able to work in the development phase, we can assure the app for the critical and high flaws at least.

There are also other precautions like threat modeling meetings, secure coding training. We will enter these topics later in detail.

要查看或添加评论,请登录

Caner Ozden的更多文章

  • Nas?l Yaz?l?m Güvenli?i Uzman? Olunur? — 1

    Nas?l Yaz?l?m Güvenli?i Uzman? Olunur? — 1

    Merhabalar, Bu yaz?mda i?ten bir ?ekilde, yaz?l?m güvenli?i uzman? olurken benim yapt???m hatalardan da bahsederek…

  • PERFORMANCE ISSUES AND SECURITY SCORECARD

    PERFORMANCE ISSUES AND SECURITY SCORECARD

    Some performance criteria have been set up so that employees can be more fairly allocated certain degrees of…

  • DEVOPS APPSEC CONFLICT - 2

    DEVOPS APPSEC CONFLICT - 2

    The agile development methods are actually the combination of the tiny iterations of the Waterfall model. In every…

  • Güvenlik Ekibine "G?c?k" Olmak

    Güvenlik Ekibine "G?c?k" Olmak

    G?c?k olmak, g?c?k kapmak, ya da insan ili?kilerinde olumsuz olarak kullan?lan di?er bu anlamdaki s?zler güvenlik…

    7 条评论
  • Güvenli Kod Yazmaya ?zendirmek ??in Kullan?labilecek 4 ?pucu

    Güvenli Kod Yazmaya ?zendirmek ??in Kullan?labilecek 4 ?pucu

    Bir geli?tiricinin kodlama stilini de?i?tirmek imkans?z olmasa da zor olsa gerek. Ayr?ca, güvenli kod yazmak i?in hem…

  • 4 Tips to Promote Secure Coding in Your Team

    4 Tips to Promote Secure Coding in Your Team

    Changing the way a developer codes is a hard task, if not impossible. However, to be able to write secure code needs…

  • Known Wrongs In Securing Software

    Known Wrongs In Securing Software

    What is an AntiPattern in Software? An anti-pattern is a common response to a recurring problem that is usually…

  • Find Early. Fix Early.

    Find Early. Fix Early.

    Software Security & Static Code Analysis Software is a complex piece of technology in the very heart of our lives from…

  • SQL injection : Neden parameterized query'ler injection'? ?nler ?

    SQL injection : Neden parameterized query'ler injection'? ?nler ?

    Sql injection ?üphesiz “injection type” bir a??k oldu?undan dolay? owasp’?n de?erlendirmesinde en tehlikeli…

社区洞察

其他会员也浏览了