Today we talk about security and vulnerabilities, and how to approach and manage them in a DevOps context.
Let's say your team or some other team has identified a security issue or vulnerability in your application, system, or anything else.
How to approach the remediation? How and when to work on it?
As usual, if you are a visual learner, or simply prefer to watch and listen instead of reading, here you have the video with the whole explanation and demo, which to be fair is much more complete than this post.
If you rather prefer reading, well... let's just continue :)
First of all, needless to say, if that issue is critical, like for example it could lead to information theft or to compromise sensitive data, you should fix it right away and deploy it as soon and as quick as possible. I think we can all agree on this.
This is a scenario, however, which should rarely happen if you do security in the right way. I will soon have a whole article and video about "doing security right" so stick around if you don't want to miss it :).
Let's focus instead on issues that are not critical, of course we still need to work on them. What is the best way to approach this "additional work", if you will?
Well, I hope this is not a surprise to you but... the best thing you can do is make it part of your normal work.
What does this mean? Well, simply put it means you should plan for it in your sprints or iterations, and have your team work on them as you do on all the other features, tasks and stories.
This is the key: plan for it. Make it part of your daily work, have everyone in your team take up some of that work.
If you leave the security work like a sort of extemporary work, what will inevitably happen is that you will increase your technical debt.
If you instead make it part of the normal work, everyone will get used to work on that if needed and so the issues will be solved in a timely manner.
Final pro tip: don't do this only for security issues and vulnerabilities, but treat security improvements the same way and you'll see your software getting better and more secure in a really short time.
So, what do you think of this approach? How do you manage and resolve your security issues and vulnerabilities?
Let me know in the comment section below.