Opinion piece: Strengthening application security with policies as code

Opinion piece: Strengthening application security with policies as code

Opinion piece: Strengthening application security with policies as code

Today’s enterprises have no shortage of policy mandates and principles aimed at defining governance objectives for all parts of the organization, including software and application development lifecycles.

While these policies may be well documented and reviewed annually during required awareness training, they are not always easily adopted into the daily workflows of developers on the front line of engineering.

While documentation is critical to keeping organizations aligned with the latest policies and guidelines, it is often too abstract or inapplicable in practice. For organizations to build trust in their development workflows and processes, they should consider implementing governance objectives directly into the software development lifecycle (SDLC) to reduce the likelihood of malicious or accidental cyber events.

The next crucial step in aligning operational, security, and development objectives at scale is implementing policies as code, or the practice of programmatically applying an organization’s risk management objectives to its development ecosystem. This tactic allows for more efficient and automated security inspection and demonstrates compliance within the context of development workflows. Here are some of the benefits of policies as code and how organizations can integrate this practice into existing DevSecOps workflows.

Defining policy as code

Policy as Code serves as a mandatory feature to implement required security testing in DevSecOps workflows while significantly reducing the need for separate workflows for auditing. In practice, it requires converting security policies and test plans into pipeline instructions, thereby ensuring that the necessary controls are applied in accordance with the organization’s security and compliance standards across the SDLC.

This approach is beneficial for both developers and security teams. Developers receive immediate access to crucial security policies while working within their existing DevSecOps tools and processes. This reduces their dependence on security teams and reduces feedback loop time, allowing them to work faster while maintaining security standards. Security teams are no longer required for every security decision within the SDLC and can focus on escalating and developing proactive security strategies.

Create security-aware developers

Although security is a key priority for organizations, Recent GitLab Research found that around half of organizations globally still see collaboration silos between developer, security and operations teams. Tensions between development and security teams have been discussed for years, but what has become clearer over time is that developers are not receiving the specific, in-context guidance they need to efficiently create secure code.

While the principles behind the left shift in security work in theory, what often happens in practice is that developers do not have quick access to making qualified security decisions in real time, so vulnerabilities difficult to understand eventually reach security teams. . Developers can ship code faster by adopting a shared framework for enforcement and policy compliance, knowing it adheres to organizational policy.

Implementing policies as code

To make policy as code viable, developers and security teams must align with predefined security processes and determine how to integrate them into the SDLC while still prioritizing speed and efficiency. Security teams must understand day-to-day software development and use it to inform how they can create policies that incorporate necessary security controls into workflows. Developers should be open-minded to the fact that each stage of the development lifecycle can introduce unique vulnerabilities and adopt a holistic set of practices that make the development process more secure.

Examples of practices for implementing policies as code in DevSecOps pipelines include:

  • Define non-negotiable security testing and analysis as part of the continuous integration (CI) process
  • Establish and enforce change management expectations within processes, including identifying which roles can approve code changes.
  • Institute separation of duties by ensuring that expected CI work cannot be skipped or discarded in the development workflow.
  • Define test scenarios or gates where approval or exceptions require peer review or security approval.
  • Define what artifacts and records are needed during the development workflow for audit evidence.
  • Enable accountability and traceability through digital signatures that provide authenticity to code authors.
  • Implement required change management objectives through programmatic application of guidelines for code reviews.

Policy as code, like all security efforts, is not a “set it and forget it” practice. It requires continuous focus and evaluation of processes that will evolve alongside the growing threat landscape. As with all DevSecOps practices, it is essential to focus collaboration and transparency throughout the process. Security and speed are not mutually exclusive goals for a development team: policies as code can help organizations realize the value of DevSecOps.


Francis Ofungwu is the global field information security director at GitLab.

Leave a Reply

Your email address will not be published. Required fields are marked *