By ‘DevSecCon Whitepaper’ author Francois Raynaud, DevSecCon Founder.
Increasing governmental measures to combat cybercriminals, and punish organizations that don’t protect their customers’ data, mean that security, and security risk management gain ever greater currency. On the one hand, security is a huge challenge that can have dire consequences for the business if improperly handled. On the other hand, as software continues to ‘eat the world’, high velocity IT becomes the foundation of competitiveness in the modern marketplace. Every business has to become an agile and innovative software delivery machine in order to survive. Which leads us to the enterprise IT paradox: Go faster and innovate. But always stay secure.
DevSecOps is the answer to integrating these challenges into a coherent and effective approach to software delivery. It is a new method that helps identify security issues early in the development process rather than after a product is released. The aim is to address the need for pro-active, customer-focused security that anticipates rather than reacts to data breaches or other cyberattacks. DevSecOps can reduce the costs associated with fixing security flaws, by building security into every stage of the development process, from the requirement stage onwards.
Companies that embrace DevSecOps benefit from numerous advantages:
- Cost reduction is achieved by detecting and fixing security issues during the development phases which also increases the speed of delivery.
- Speed of recovery is enhanced in the case of a security incident by utilising templates and pet/cattle methodology.
- Threat hunting can avoid bad publicity, and therefore can potentially increase sales – it is obviously easier to sell a secure product.
- Improved overall security by reducing vulnerabilities, reducing insecure defaults, and increasing code coverage and automation through the use of immutable infrastructure
- Keeping in step with the frantic innovation intrinsic to cybercrime by effectively managing security auditing, monitoring, and notification systems.
- ‘Secure by design’ principle is ensured by using automated security review of code, automated application security testing, educating, and empowering developers to use secure design patterns.
- Everyone is responsible for security. DevSecOps fosters a culture of openness and transparency, and does so from the earliest stages of development.
- The ability to measure different things which can be seen by everyone – DevSecOps enables a culture of constant iterative improvements.
Like most other security programmes, the successful implementation of DevSecOps involves three intersecting parts: people, processes, and technologies. Furthermore, DevSecOps also recognises, that security is the responsibility of everyone in an organisation, and everyone has a role to play in security.
The security team has traditionally been a drag on release performance, the ‘naysayers’ who come along at the end of a development cycle and add poke holes in the product and force parts to be fundamentally rethought far too late on in the process. As a result, the security team is marginalised over time, creating a self-reinforcing downward spiral of division between teams. DevSecOps aims to break down these barriers and stop security being its own echo chamber without taking into consideration the wider business when implementing policies or tooling. Proper training, a restructuring of teams and the appointment of security champions means that ‘security’ becomes less the function of a department and more a frame of mind that permeates the company. This sets the foundation for the successful implementation of security processes and technologies, making for enhanced security much earlier on in any project and quicker, easier and cheaper software delivery cycles.
Equally important to embedding security in the company culture is the creation of processes that are key to the success of DevSecOps. Their aim is to create agreed and repeatable ways of working which are clearly documented and public to the company to ensure transparency of the security towards the rest of the business. Essential processes include implementing version control, codifying security, security tooling in CI/CD, analysing threat intelligence data, creating playbooks and action-plans for incidents, and implementing Red Teams and Bug Bounties.
If implemented, the processes can help to automatically identify problems (faults, bugs, threats etc.) much sooner and responded to in an agile fashion. Where, prior to implementing proper DevSecOps processes, organisations would respond too late and too slow, DevSecOps makes short, feedback-driven security loops possible that quickly identify problems and react swiftly.
Finally, let’s talk about DevSecOps technologies. They are the glue between people and processes, that enables properly executed DevSecOps. To name just a few, Automated scanning, Runtime Application Self Protection, open source control and monitoring technologies can greatly reduce the enterprise attack surface as well as the ability to effectively manage a company’s technical security debt. Also, the use of simple tools such as a synchronised, encrypted, shared password store to manage ‘secrets’ (the private information a team should know, for example a database, or a thirdparty API) ensures security right along the chain.
Ownership of these technologies does not need to reside within the security team. Properly distributing these to the relevant operational team will help the security team to concentrate on hunting the threat rather than operating the said technologies.
Now that you are familiar with the core concepts of DevSecOps, you might be wondering how to get started. Most of all, don’t be afraid to ask questions and research into different DevSecOps technologies. Organizations like OWASP offer free resources that allow you to take your first steps toward continuously secure delivery. Numerous DevOps, Development and Security related Meetup groups are probably meeting near you on a regular basis to discuss DevSecOps ideas and innovations. For a more immersive experience, visit a conference like DevSecCon, that delivers in-depth talks, workshops and trainings dedicated to the subject.
Download the full version of the DevSecOps whitepaper here: https://www.devseccon.com/devsecops-whitepaper/