Choosing between security and speed is sometimes hard. Teams often do not have security in their pipelines and deployments, because security checks are manual. But you can make have security in the beginning of SDLC.
- run automated tests on small chunks of code to identify security issues faster
- developers can fix these small chunks of code easier than a fixing a big change
- Create or adopt educational program with these goals:
- teach developers to recognize common vulnerabilities and remediate on their own
- security professionals should understand development technology
- If automated scan find security vulnerabilities, developers should respond fast
- Risks have different level of priorities
- DevOps and Security team must define security guidelines that allows team to prioritize risks
- Risks with high priority must be fixed in the short term
- Manual security tests cannot keep up
- There are many tasks (technologies, deployments &...), so that security teams cannot perform these tasks manually
- Tests must be pre-written
- Policies must be pre-defined
- Testing more frequently is better
- In rapid development, teams have small changes, and small fixes
- Vulnerabilities can be found in these small changes easier
- Security and DevOps teams must co-operate and be on the same page
- Leaders must push the members to work together and understand each team goals
- Every business should focus on building a security-first mindset
- Make it easy with integrated or single tools