DevOps is now widely accepted in application development because, by introducing a culture of collaboration and cooperation between development and operations teams, it enables features to be released faster to end users.
As DevOps grows, there is a corresponding need to ensure the database is included so that the entire development process is seamless and free of bottlenecks. A clear majority of leading organizations understand this as shown in the 2019 Database DevOps Survey from Redgate, which revealed that 77% of application developers are also now responsible for database development.
The increased speed of development, however, needs to be balanced with the requirement to protect information and keep code secure. This is in turn has led to the adoption of DevSecOps which incorporates security practices at the heart of DevOps processes. As a measure of its importance, Gartner predicts that by 2021 DevSecOps practices will be embedded in 80% of rapid development teams, up from 15% in 2017.
But where does the database fit in? Can the same principles be followed, or should they be modified? How can increasing regulatory pressures around data privacy and protection be satisfied? What additional measures should be considered so that the security of data can be protected alongside the code?
The 10 steps to DevSecOps
Gartner’s Neil MacDonald was one of the first analysts to identify the need for DevSecOps and, in 2017, he outlined 10 steps that companies need to follow to protect applications during development:
- Adapt security testing tools and processes to the developers, not the other way around
- Quit trying to eliminate all vulnerabilities during development
- Focus first on identifying and removing the known critical vulnerabilities
- Don’t expect to use traditional testing techniques without changes
- Train all developers on the basics of secure coding, but don’t expect them to become security experts
- Adopt a security champion model and implement a simple security requirements gathering tool
- Eliminate the use of known vulnerable third-party components
- Secure and apply operational discipline to automation scripts
- Implement strong version control on all code and components
- Adopt an immutable infrastructure mindset
All of these equally apply to DevSecOps for the database, with the exception of step two. Most databases contain personal data, much of which is sensitive and needs to be protected to avoid breaches, ensure compliance and safeguard brand reputation. Consequently, companies must address every vulnerability during database development.
Digging deeper into the list, there are four central points that should underpin a strategy to introduce DevSecOps to database development:
Classify your data to detect issues early
The central task of DevSecOps for the database is to protect personal data and ensure it cannot be exposed to the outside world, either through internal negligence or external hacking.