Recently, we caught up with Aleksandr Krasnov - who is a product security engineer at Dropbox, and an all-round DevSecOps expert. Having worked on multiple Silicon Valley DevSecOps implementations, Aleksandr has some great tips on how companies can get started evolving their security with DevSecOps.
A recent PortSwigger customer survey showed that 42% of large enterprise organizations sampled were currently investing in this type of accelerated software delivery. Our recent analysis of industry statistics also highlighted growth in DevSecOps.
Aleksandr Krasnov is an expert in helping companies increase their efficiency and become more security aware, by implementing DevSecOps. When he's not helping to secure some of the world's most popular applications, this former professional runner enjoys cooking for his family, and competing in Tough Mudders. He's also a bug bounty hunter, and particularly enjoys capture the flag (CTF) challenges.
Aleksandr's first tip is that knowledge itself is power. You don't have to jump straight in at the deep end to do DevSecOps. By simply scanning your web estate, you can see where your security holes lie, and start to prioritize fixing them. Everyone has these blindspots, but by finding them, you'll know the lie of the land (and sleep better at night as a result).
Speaking of which, Aleksandr has a great metaphor. You can think of your web estate a bit like your house. Before you go to bed at night, you probably check that your doors and windows are locked and secure. If, one night you find a window with a broken catch, you may not fix it right before bedtime (although it will go onto your todo list, for sure). But what if you'd never checked that window catch?
This is a really good way to think about the role scanning can play in DevSecOps. In fact, PortSwigger's view is that if you use dynamic (DAST) methods, then it's doubly so - because dynamic scanning is more or less like rattling those doors and windows to look for vulnerabilities. Dynamic scanning emulates what a cybercriminal might do to try and break through your defences.
Another benefit dynamic (DAST) scanning has (as opposed to a more complicated method like interactive (IAST) testing) is that it's also much less invasive. To extend the house metaphor, with DAST, you're not about to break the lock on your front door, right before bedtime. You (quite sensibly) never dismantled it in the first place.
Aleksandr has worked in DevSecOps roles at a number of companies - but one thing has remained constant for him. He sees the role of a DevSecOps engineer as one that makes life easier - and less stressful - for developers. If he does his job right, dev teams will never notice him. But the guardrails he puts in place give them more confidence in their code.
When we asked him whether an organization embarking on a DevSecOps journey should first make a stop at DevOps, Aleksandr's answer was "no". He's a fan of the disruptive type of change that Silicon Valley is well known for. But even if your organization isn't ready for that yet, you can take incremental steps toward DevSecOps with little risk of failure.
Think of your first scans as an MVP (minimum viable product) approach to DevSecOps security. This is a foundation you can build on; it needn't cost the earth. Burp Suite Enterprise Edition's transparent pricing is there to give you confidence in this. Enterprise Edition pairs well with manual testing via Burp Suite Professional, and is able to scale with you as your horizons expand.
One huge benefit of this cost-effective intro to DevSecOps is that it makes it easier for your organization's executives to buy in - due to the clear ROI it provides. This will help during the later stages of DevSecOps implementation, where more disruptive change is often necessary. The disruptive nature of this stage means that buy-in is key.
This magnetism isn't limited to executives. Because DevSecOps makes development more efficient, while at the same time raising security awareness, it's a win-win situation for everyone. That attracts a following. You'll find it easier to bring DevSecOps talent onto your team, once you've implemented your MVP.
So - start by scanning your web estate at scale. Rattle those window catches. This will show you where your vulnerabilities lie, so you can start to prioritize fixes for them. Every web app has these holes - it's just a matter of finding them. By regularly scanning across your estate, you'll start to see a number of processes occurring: