What steps can you take toward evolving your organization's security maturity?

The problem

DevSecOps evolves the DevOps philosophy to include security earlier in the development process. Shifting it "left", if you will. This holds the promise of removing downstream bottlenecks, by putting security on the agenda from day one. DevSecOps is often referred to as a "security mature" approach - where security finally gets the credence it deserves.

This is all well and good in theory, but in practice, there's a big stumbling block. That's because while embracing DevOps or DevSecOps is easy for an agile startup, it's far more difficult for an established enterprise. Consequently, while there's a lot of hype around DevSecOps, this doesn't always translate into a lot of people actually doing DevSecOps.

So, how can you increase your security maturity in practice if you know you have teams that aren't fully ready for DevOps?

Pragmatic steps

Since we began work on Burp Suite Enterprise Edition, we've been doing a lot of thinking about shifting left. What's become apparent to us is that a progressive approach often works best. Talking to our users, we've found this is also something that rings true for many established organizations.

Consequently, we see security maturity as a continuum. A sliding scale if you will. As you develop your maturity, you enter a positive feedback loop, and organizational progression accelerates naturally. Even if DevSecOps isn't something you see in your foreseeable future, you might be surprised where your journey ends up taking you once people begin to buy-in.

It's also worth noting that progress in this area might not be symmetrical across an enterprise - certainly in the initial stages. Different teams and departments will naturally move at different paces. But as your early adopters begin to reap the rewards of an increased security maturity, others will join them. So continues the virtuous cycle.

Testing is only the tip of the iceberg

Penetration testing plays an important role, but as we know, it doesn't scale well. Modern vulnerabilities are complex, and there simply aren't enough testers. Beginning to frequently scan applications across your portfolio (alongside regular pentesting) is a strong step towards DevSecOps. This frees AppSec teams to focus on what matters.

But simply testing applications is far from the end of the story when it comes to shifting left. Going further, the goal is to automate scans within the CI/CD pipeline and to find ways to get timely feedback to developers so they can fix bugs as they're made.

Couple this automation with a drive towards educating developers in security basics, and developing secure coding frameworks, and you have a strong foundation on which to build. Continuous learning and support is an easily-overlooked area of security maturity.

The benefits of shifting left

Of course, at this point, you might ask yourself why you would want to shift security so far to the left? Well consider the analogy of building a house. If you make a mistake, it's no good if you only notice it the day before the house is signed over. You'll never fix it in time. Far better to detect and fix it while the place is still a construction site.

The same is true of development. If an app's logic is flawed, you really want to spot it early on. While such a bug can often be resolved with a conversation at the start of development, it could easily mean a ground-up restart if it's not discovered until late in the process. The later you spot a bug, the more expensive it is to fix.

By putting security on everyone's agenda, shifting left means far fewer surprises in late development. While no one should expect devs to become security experts, encouraging a basic level of knowledge will cut down the number of bugs produced. Fast, up-to-date feedback helps to achieve this - as do free resources like the Web Security Academy.

How to do it?

Shifting left is a key indicator that an organization has evolved its security maturity. And this is exactly what we designed Burp Suite Enterprise Edition to help you do.

Burp Suite Enterprise Edition contains the same trusted scanner as Burp Suite Professional, but repackaged so that anyone can use it. From scheduling recurring scans, to knowing your security posture - it's all at your fingertips. Should you wish, you can also integrate scans seamlessly within the CI/CD pipeline.

For more information on how Burp Suite Enterprise Edition could help you move your security maturity forward, check out the video below from PortSwigger founder, Dafydd Stuttard. You might also like to read more about the DevSecOps solutions we offer. And of course, you can always talk to us.

Secure Development

Matt Atkinson

@mattatkinson42