November 17, 2020
Why DevSecOps Should Be a Priority

Why DevSecOps Should Be A Priority For Your Salesforce Team

Security breaches have been the new normal! There has been a dramatic surge in the number of data breaches since the COVID 19 pandemic. According to Forrester’s The State of Data Security and Privacy 2020, the most common external attacks focused on software vulnerabilities (42%) and web applications (35%). Given the surge in data breaches, there will most likely emerge a trend where security is going to be the top priority. Gradually as Salesforce developers prioritize the security of their apps, DevOps will evolve into a DevSecOps culture so that their apps are not vulnerable to data breaches. Therefore, in the “new normal” organizations are looking to spruce up security into their Salesforce DevOps culture to enhance their approach to cyber and other risks.

What is DevSecOps and why it is important for Salesforce?

DevSecOps lies at the intersection of DevOps and Security. Although the original intent of DevOps was to make security an integral part of the entire app life cycle, it often gets lost. Often it happens that the Salesforce DevOps team spends months working on different solutions but when the security team was introduced later, they eliminated all the solutions since the other solutions were not secure. Therefore, integrating security right at the outset can save crucial time and resources.

Although Salesforce has Profiles, Permission Sets, and sharing rules to manage security, these are not sufficient to fully protect the application’s data, settings, and source code as there is no structured release process or merge conflict resolution tools or even compliance built into it.

In terms of a security evaluation of Salesforce, while many customers do a thorough risk assessment when considering Salesforce, they often skip on evaluating security robustness when it comes to a DevOps solution. Moreover, even as enterprises use Salesforce Shield, they often end up giving the DevOps vendor backdoor access to their data. Choosing a DevOps solution that does not have access to your production org, meets Data Residency rules, or where end-to-end application security is reviewed by Salesforce is a great way to ensure security. However, going forward, that alone is not sufficient to strike a balance between fast development and security. Therefore, DevSecOps becomes critical to increase delivery speed for secure codebases by leveraging automation technologies to automate routine security tasks.

Embracing DevSecOps allows enterprises that use Salesforce to build secured applications without compromising the time to market. By implementing proactive security and compliance processes, DevSecOps accelerates software releases, enhances product security, saves operational and development costs while also ensuring robust security and compliance from the start.

5 Steps to implement DevSecOps

Most enterprises tend to adopt DevOps only from the technology and time to market perspective without striking the right balance between people, processes, and technology aspects. When enterprises miss having balanced automation, we see instances of data breaches and security breaches. Speed is irrelevant if you are heading in the wrong direction. But speed is a great asset but it is greater when it is combined with safety and security. Therefore, security must be integrated at every aspect of the SFDLC cycle, and where possible it should be automated. Here are 5 ways to make a cultural shift to the DevSecOps culture:

Step 1 Know the End

Begin with the end in mind! It essentially requires you to have clarity on the outcome you want to achieve. This demands you to chalk out clearly the success parameters, resources, and milestones for better transparency.

Step 2 Explore the Code Movement

The next step involves defining how code travels to mitigate risks. This requires the IT and operations team to explore the “who, how, when, where” of how your organization sends code into the cloud.

Step 3 Take Stock of Security Tools

Before we move ahead, it is imperative to take inventory of all existing security tools in your security portfolio. Since these days most organizations have a significant number of security tools, getting an understanding of their basic purpose and how they can be leveraged to better DevSecOps.

Step 4 Gap Analysis

Successful DevSecOps demands moving away from a chaotic web of jointed solutions to a more streamlined solution that supports the execution of your chosen framework. Therefore a security gap analysis i.e. the difference between the current and overall best security practices is critical to help you understand your existing inventory of security tools you own as well as gain insight into how you can add an extra layer of security by leveraging these to control gaps to meet industry standards.

Step 5 Improvise

The final step involves working closely with the development and IT team to implement the insights from the gap analysis as well as acquiring platform-based cloud security controls that complement your DevSecOps strategy. Since iteration is an inherent feature of DevSecOps, taking a continued improvement driven approach can help infuse much-needed speed, agility, and innovation.

Embracing DevSecOps Culture

Security will continue to be a top priority and embedding security into the DevOps pipeline may seem a simple proposition. But you need a formidable partner to not only integrate security into your current DevOps efforts but also to explore opportunities in automation to secure development and operations

As the leading 100% native release management, Flosum is contained within Salesforce. This allows it to successfully address the security across the DevOps and release management cycle. A preferred solution of choice for Government, Defense, Financial, and Healthcare enterprises, Flosum is the only solution that does not have access to the client’s data in production org, meaning that your data and codebase remain protected. Explore more how Flosum can help you embrace Salesforce DevSecOps, the next evolution of DevOps.

Next Steps: