With the advent of Agile Development and the push towards DevOps came faster and shorter release cycles but also an increased risk of security vulnerabilities passing to production and delays resulting from those vulnerabilities. Github’s CodeQL, released late last year, has already scanned over 12,000 repos and has found over 20,000 security issues including remote code execution (RCE), SQL injection (SQLi), and cross-site scripting (XSS) vulnerabilities.
While DevOps promotes shorter and faster release cycles, DevSecOps ensures shorter, faster, and secure releases. The work-from-home culture resulting from the ongoing pandemic has made it imperative that organizations make a left shift and fortify security in the early stages of the development lifecycle.
This left shift has put a greater burden on QA, resulting in Automation becoming main stream. The sentiment has changed to: If it can be written and is repetitive, then it can be automated. Increasing QA’s presence in the entire SDLC from the early stages and automating the process is the only efficient way to support organizations in achieving the accelerated “time to market” demand and have a positive impact on the ROI.
Now the question is: what can and should be automated? Defining this criteria will govern how successful the Automation process is in supporting agile and secure releases.