Cyber Security

How do we integrate security into a fast-paced CI/CD pipeline without slowing down developers?

JA Asked by James Anderson · 18-08-2024
0 upvotes 14,244 views 0 comments
The question

Our engineering team is pushing code multiple times a day, and our manual security reviews just can't keep up. We want to move toward a DevSecOps model, but there’s a lot of friction. How can we automate SAST and DAST checks so they provide immediate feedback to developers without becoming a bottleneck for our deployments? 

3 answers

0
SU
Answered on 19-08-2024

Start by automating Software Composition Analysis (SCA) to check for vulnerable libraries. It's the "low hanging fruit" of DevSecOps and usually has the fewest false positives for the team. 

PA 20-08-2024

Agreed, Susan. Vulnerable dependencies are a huge risk factor, and SCA tools are generally very easy to integrate without causing any significant lag in the build process.

0
PA
Answered on 20-08-2024

The trick is to "fail fast" and provide actionable results. Integrate Static Application Security Testing (SAST) directly into the IDE or as a pre-commit hook so developers see errors before they even push the code. For DAST, don't run a full scan on every tiny build. Instead, run incremental scans on the specific microservices that changed. Most importantly, work with the devs to tune the tools and reduce false positives. If the security tool cries wolf too often, the developers will just find ways to bypass it or ignore the warnings entirely. 

0
BR
Answered on 22-08-2024

What tools are you currently using for your pipeline? Some integrations are much smoother with GitHub Actions or GitLab CI than others, and that might be where your friction is coming from.

JE 23-08-2024

Brian, we're on Jenkins. We found that using plugins that pipe security findings directly into Jira tickets for the developers helped a lot. It put the security bugs in the same place they track their regular work, making it feel less like a "security chore" and more like a standard quality bug that needs fixing.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session