While the DevOps term has exploded in popularity, the notion of embedding security directly within the pipeline is too often an after-thought or not considered at all. While security testing is often delegated to the internal test organization, Rapidiant believes it should be built into the pipeline right from the start. This is what is now being termed DevSecOps, and has become a critical element to the hardening of systems that are unfortunately coming under increasing attacks from hostile and nefarious actors.
For example, for several clients, Rapidiant has introduced into the pipeline tools that automatically scan source code for vulnerabilities that internal developers may inadvertently create in their source files, but also may be brought in through the increasingly popular use of “Open Source” modules downloaded from the Internet.
In fact, the Federal Government has begun encouraging and even mandating the increased inclusion of Open Source in custom built applications due its increased reliability and the time-savings introduced by reusable code. Rapidiant supports this whole-heartedly, but would also caution that this benefit and convenience brings with it real and unforeseen dangers. That is why we insist on building in scanning capabilities throughout the lifecycle of code development – from code builds that expose potential vulnerabilities directly to the front-line developer for immediate remediation, to final “firewall” checkpoints that prevent objectionable code from reaching production environments at the final leg.