What is security as code?
Security as code is a driving force in the future of application security. According to O’Reilly, security as code is the practice of building security into DevOps tools and workflows by mapping out how changes to code and infrastructure are made and finding places to add security checks, tests, and gates without introducing unnecessary costs or delays. Developers can define infrastructure using a programming language with infrastructure as code. The same needs to happen to bring security to the speed of DevOps.
At a basic level, security as code can be achieved by integrating security policies, tests, and scans into the pipeline and code itself. Tests should be run automatically on every code commit, with results made immediately available to developers for fixing. By bringing security scans to the code as it’s written, teams will save both time and money by streamlining the review process later in the software development lifecycle (SDLC).
Why is it important?
Security as code is key to shifting left and achieving DevSecOps: It requires that security be defined at the beginning of a project and codified for repeated and consistent use. In this way, it gives developers a self-service option for ensuring their code is secure.
Predefined security policies boost efficiency, and also allow for checks on automated processes to prevent any mishaps in the deployment process (like accidentally taking down the whole infrastructure because a problem wasn’t identified in a staging environment).
Six security as code capabilities to prioritize
Francois Raynaud, founder and managing director of DevSecCon, said that security as code is about making security more transparent and getting security practitioners and developers to speak the same language. In other words – security teams need to understand how developers work, and use that insight to help developers build the necessary security controls into the SDLC. Developers can reciprocate by staying open-minded as they adopt new tools and practices to boost security during the development process. Here are six best practices and capabilities to build into your pipeline:
- Automate security scans and tests (such as static analysis, dynamic analysis, and penetration testing) within your pipeline so that they can be reused across all projects and environments.
- Build a continuous feedback loop by presenting results to developers, allowing them to remediate issues while coding and learn best practices during the coding process.
- Evaluate and monitor automated security policies by building checks into the process. Verify that sensitive data and secrets are not inadvertently shared or published.
- Automate complex or time-consuming manual tests via custom scripts, with human sign-off on results if necessary. Validate the accuracy and efficiency of test scripts so that they can be replicated across different projects.
- Test new code within a staging environment to allow for thorough security and low-impact failure, and test on every code commit.
- Scheduled or continuous monitoring should automatically create logs (or red flags) within a review dashboard (such as GitLab’s Security Dashboard feature).
Security as code is a best practice for a bigger goal
Security as code gives pragmatic meaning to the concept of DevSecOps, but it should not be your end goal. Ultimately, security as code is a means to get more people on board with integrating security throughout your SDLC. The idea will feel familiar to developers who have practiced infrastructure as code, and it provides an opportunity for security to step into the fray both to better understand software development and to help design the policies that will be codified in the process.
As your team works its way toward becoming a well-oiled DevSecOps machine, security as code will inevitably present itself as a smart solution within a complex endeavor.
GitLab’s DevSecOps methodology assessment
There’s a lot to cover when standing up a DevSecOps process – so to help you master the key elements, we created a DevSecOps methodology assessment. Score yourself on 20 capabilities, and then use those scores to understand your DevSecOps maturity level, and determine what actions your team can take to bring your DevSecOps to the next level. Download the assessment here.