For too long, ensuring that code is securely written - and bug free - has been a business afterthought. But there's been new hope for building security into the development lifecycle, thanks to the rise of DevOps, aka rugged software, says Chris Wysopal, CTO of the application security firm Veracode.
DevOps - a truncation of software development and IT operations - incorporates aspects of agile development, including short sprints - perhaps just two weeks in length - that involve planning, designing and implementing new, working software or additional functionality, backed by having customers embedded into the coding team.
Wysopal is delivering a Feb. 15 briefing at the RSA Conference in San Francisco titled "Your Chance to Get It Right: 5 Keys to Building AppSec into DevOps."
In an interview with Information Security Media Group, Wysopal notes that DevOps, as well as what's sometimes now referred to as DevSecOps, improves on agile concepts by adding operations personnel into teams and making developers directly responsible not just for quality control, but also the security of the code they're writing.
"Just like they fail a build when there's a functionality problem or a performance problem that's unacceptable ... have them fail the build when there are security defects found that can't go into production," he says.
In this (see audio link below photo), Wysopal describes:
- The business case for integrating security into the application development lifecycle;
- How DevOps teams operate, and where the security buck stops;
- What resources these teams require to help them more quickly find and fix bugs.
Wysopal is CTO of Veracode, as well as a member of the Black Hat review board. He was previously vice president of research and development at security consultancy @stake, which was acquired by Symantec. He also was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he researched vulnerabilities and wrote security software such as Netcat for Windows and L0phtCrack.