Back
Next-Level DevSecOps
This is a guest post contributed by NetSPI partner Mark Hermeling, VP of Global Solutions Engineering at GrammaTech.
Learn more about becoming a NetSPI partner here.
Putting the developer in the driver’s seat is the primary premise of DevSecOps. Empower the developer with automation, tools, information, training — and wonders happen. Now, ‘the developer’ here is, of course, part of a team and you’ll need to make sure that you equip the team with the right skills, which means development, testing, security, and operational skills.
These teams then go on their journey to develop your next generation product. This undoubtedly will include more communication from more sources compared to your current generation product. This will also include more open-source components and libraries compared to your previous generation. That is simply how the world moves nowadays: users are expecting more capabilities, more integration, more slick user interfaces, single sign-on, and on and on.
This will stretch the capabilities of your team; the inclusion of more technology will make it hard for them to truly be an expert in everything. The push for more capabilities, in a shorter timeframe, typically with reduced headcount makes it inevitable that corners will be cut. This is where problems can slip into your code, or worse, into your design. These can easily lead to security vulnerabilities that can be costly down the road.
This is a blind spot that DevSecOps does not cover. Let’s assume that you have the best DevSecOps workflows and pipelines that money can establish. Your team raves about their developer journey. They can work from their integrated development environment (IDE). They write test cases for all functionalities. They perform deep Static Application Security Testing (SAST) using GrammaTech CodeSonar. Their merge requests are automatically rejected unless all tests pass.
The blind spot is typically that nobody sits down and thinks “how can I break this stack of technology” from the adversarial perspective. And this is exactly where the partnership between GrammaTech and NetSPI comes in.
NetSPI provides an adversarial view and enhances the capabilities of teams with a ‘what if’ perspective. NetSPI reviews designs with the experience of what can go wrong as part of a Secure Code Review service. This looks at design and code in a way that automated tools cannot. Security experts review your team’s usage of SAST and their assessments and see what is overlooked. On top of that, the security experts at NetSPI can also help your team in triaging SAST warnings, so they do not have to. This is useful if you are adding larger bodies of code to existing projects for example.
Lastly, and this may be the most important of all, NetSPI can help your team become better with secure coding and remediation training. Based on what NetSPI’s team of offensive security specialists sees, they can use your code to provide recommendations on how to improve the capabilities of a team.
What you end up with in the end is a stronger product, and a stronger, more experienced team. Partnerships like this result in shared strength across teams. Explore GrammaTech or NetSPI’s Partnership options for more.
