DevSecOps — a new paper by Microsoft and Sogeti

Think about security early with DevSecOps

When do your DevOps teams start the process of checking for security vulnerabilities? In a new white paper from Sogeti and Microsoft, we argue that visibility into application security as early as possible in development is essential in today’s world of increasingly rapid software delivery.

The paper 6 tips to integrate security into your DevOps practices advocates integrating your security team with the existing DevOps team to create DevSecOps. In a series of blog posts, we’re giving you a flavor of all 6 tips, including: Tip 2: Integrate security in the early stages of the development cycle.

Avoid the roadblocks

The white paper urges DevSecOps teams to think about security upfront to help them avoid vulnerabilities and common roadblocks. That’s because choosing a security solution at the end of the development process offers limited protection for critical code, data, and software supply chains.

So, how do DevSecOps teams shift security left? The paper states that it’s time to evolve past the batch approach currently used by many security teams to scan for vulnerabilities. Batch scanning not only requires human involvement, it’s also prone to errors and cannot work on demand. Moreover, these security checks occur independently from the developer team — limiting the context for security professionals. Delays may occur between software lifecycles and feedback often arrives late.

A metric for quality — Qualimetry

Gathering a holistic understanding of the quality of your enterprise’s delivery pipeline, code, and applications is called “Qualimetry.” Using static and dynamic scans together helps to outline the Qualimetry of your enterprise’s continuous integration pipelines. Consistently looking at quality indicators helps reduce the risk of drift and technical debt. Further, you allow the development team even greater autonomy to address code quality. These CI pipeline quality checks harden the security of the whole system.

Unfortunately, static analysis is a source of “false positives”. So, once you perform SAST against applications and infrastructure, it’s important to continue dynamic application security testing (DAST) to correct the false positives. From your CD pipeline, deploy a temporary environment and start dynamically checking security breaches against this temporary environment. You can then integrate a vulnerability assessment solution purpose-built for this task like Azure Defender. When performed on a temporary environment, you lower threat risk against critical data and systems while preventing a potentially dangerous new deployment.

Regular and consistent scanning

Along with an illustration of how cultivating holistic vulnerability threat analysis looks in practice, Tip No. 2 offers further advice, such as the need to address updates as they appear rather than during elongated reviews prior to each production release. In essence, scan regularly and scan consistently.


Download the white paper 6 tips to integrate security into your DevOps practices.


Sandra Parlant
Sandra Parlant
Solution Architect at Sogeti


Read all our DevSecOps blogs