Sign in Subscribe
4 min read AppSec

Forget DevSecOps and ShiftLeft

Forget DevSecOps and ShiftLeft
🪄
Integrating Security Seamlessly

In this article, we're about to spill the beans on why this approach rocks, answer some burning questions, all while keeping our magic wand at the ready.

The Traditional DevSecOps Approach

DevSecOps, which emphasizes integrating security into the development process, has been a buzzword in the industry for some time. While the intentions behind it are commendable, the practicality of implementing it can be a challenge. The traditional DevSecOps approach involves running security scans and tests throughout the development process. Unfortunately, this can lead to several issues:

  1. Development Tool Parity: Developers often face discrepancies between their local development environments and the security tools applied during the build pipeline. This can result in a false sense of security when code is committed, only to discover vulnerabilities later in the process.
  2. Alert Fatigue: Continuous security scanning can generate a flood of alerts. When everything is an alert, it's challenging to distinguish critical issues from noise, leading to alert fatigue and potentially missing real threats.
  3. Delayed Feedback: Email or alert-based notifications for security findings can disrupt the development workflow. Developers may skip or overlook them, causing vulnerabilities to persist until deployment.
  4. Production Incident vs. Defect: Discovering security flaws in production is far from ideal. It transforms what was once a defect into a security incident, often with significant consequences.

Gates of Glory

We're talking about quality gates. Where code goes to die, or where security swoops in at the eleventh hour, capes and all, to save the day or tell you where you failed to meet some unwritten expectations.

Better Quality Gate

What Quality Gates were always meant to be. To provide quality and security assurances, when everyone considers the release is ready, that all agreed requirements were known up front and have been met.

Imagine a scenario where security is not a constant nag but rather a silent guardian that only springs into action when it's truly needed. This is where real quality gates come into play. Rather than scanning every line of code as it's pushed, it is assumed (and trust is given) that the developer did that already, quality gates are deployed only when the entire release is considered ready. Why? Because:

This post is for subscribers only


Published by:

Stof

You might also like...

Sep
05
Unveiling the Myths of Multi-Factor Authentication

Unveiling the Myths of Multi-Factor Authentication

MFA refresher Multi-Factor Authentication (MFA) is a security practice that requires users to provide two or more distinct authentication factors
9 min read
May
25

The Imperative of Persistent CSRF Tokens (Video)

A brief on Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) attacks, capable of duping a user into performing an unintended
5 min read
Apr
06

JWT: A Cryptographic Love Story with Security, Vulnerabilities, and a State of Confusion

Folks, remember to be careful with your JWTs. Use strong cryptographic algorithms, manage those secret keys like they're
15 min read
Jun
30

JWT Patterns that provide real security benefits

Throughout this post we will keep an YUK WORD tally of things that are not security characteristics of JWT, that
15 min read
Jun
29

Really giving a jot about JWTs

Instacart Sr Security Engineer David Gillman (or Gilman? Either OWASP or LASCON got it wrong) presented a talk in 2021
2 min read