Recently Darryl Taft at eWeek released a slidedeck based upon Mark Troester’s article, “Application security needs to be redefined to stay relevant“. The first assertion in the list, Agile / DevOps is the new game, confirms what I have seen over the past six months through interviews and conversations at conferences and events.
DevOps, through the idea of Agile and continuous delivery, continues to move application security closer to the beginning of the development life cycle as opposed to the end of the cycle, with most of the burden left to operations. Gary McGraw, CTO of Cigital, refers to this as “moving left”, imagining a chain or process of events where you continual try to move security management closer and closer to the beginning of the development cycle so that it is built into the environment as an integral part of the process.
This ties in directly to #4 on Troester’s list: Security from the start needs to be a reality. With the speed of development, with the trends to deliver multiple builds per day, security can no longer be thought of as an add-on process as part of the production build. It must be part of the application itself.