- August 20, 2019
- Posted by: Sagar
- Category: Blogs
What should be your DevSecOps strategy
The acronym train is moving fast through the software landscape. We’d just about gotten used to the DevOps, CI, CD, terminologies, that now we have a new kid on this block. Say hello to DevSecOps!
DevSecOps – What does that mean?
DevOps, as we now know, is the software development methodology where Development and Operations teams work in tandem to deliver high-quality applications and services at high velocity. But if you look closely, do you spot the Achilles Heel of this development methodology? It’s the challenge of security.
Now, we are not suggesting that DevOps does not produce robust and secure applications and services. But given the changing security landscape, we need to ask, “Is that enough?” Are the old security models working as expected in the new-age continuous delivery pipeline? Is security still held in a silo in, an otherwise, highly collaborative environment? And if yes, should it remain so?
We’re assuming you agree that in today’s digital enterprise, there is no room for any security loophole. ‘Speed of delivery’ and ‘secure code’ cannot be opposing goals… more so because next-gen applications being built using DevOps are moving to the cloud.
The virtual environments are in a process of continuous evolution to enable scalability, flexibility and on-demand resources to the enterprise. According to Juniper research, “as more business infrastructures get connected, the average cost incurred from a single data breach will become more than $150 million by the year 2020.”
Clearly, this next-gen environment demands next-gen security. And this is where DevSecOps comes into play.
What does DevSecOps do?
Does ‘rapid and secure code delivery’ seem like an oxymoron? This is exactly the assumption that DevSecOps tries to change. DevSecOps is a manner of approaching IT security that aims to develop an ‘everyone is responsible for security’ mindset.
This methodology aims to inject robust security practices straight into the DevOps pipeline and thereby also bolt security into all stages of the software development workflow. Much like Agile, the DevSecOps methodology ensures that loopholes and weaknesses are revealed early, though monitoring and analytics for effective and almost immediate remediation.
DevOps advocate Shannon Lietz says, “The purpose and intent of DevSecOps, is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context -without sacrificing the safety required.”
What does your DevSecOps strategy look like?
Implementing any change is hard. Quite obviously, it is not so simple to change the way security is integrated into DevOps strategies that have now solidified. But it is a change that is worth making as cyberattacks, security breaches, and hacks become a constant and a real threat.
Gartner predicted that by 2019, “70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open-source components.” By moving to DevSecOps enterprises can address security threats more efficiently and in real-time.
This methodology makes security an asset that is not perceived as a hindrance to agility but instead, prevents slowdowns.
So, what should be your DevSecOps strategy?
Have a change management strategy in place
Effective change, as always, begins from the top. Having all executives on board in this commitment is the most pragmatic way to weigh the true cost/benefits and risk/reward. DevSecOps demands a shift in mindsets, processes, and tools. But that alone will not work.
Enterprises have to work hard to cultivate the ‘security matters’ ethos and ensure that everyone in DevOps is convinced that DevSecOps needs serious attention. For this, it becomes essential to show how moving security earlier into the pipeline adds value to the development process. It also helps to bring together development, operations, and security teams for DevSecOps awareness and training sessions to understand how their core responsibilities and goals align with and benefit one another. Building such a collaborative environment elevates everyone’s security aptitude to the appropriate level.
Create effective processes
Enabling DevSecOps also involves changing processes. Since security is built into the development process and is not added as a layer later, it makes sense to have clear and transparent security guidelines and policies. You need to determine the acceptable minimum levels of security, encryption keys, ciphers, and password complexity and ensure that the entire team understands these.
Security processes have to be clear, minimal and yet forceful so that they don’t become obstacles to the speed of delivery.
Test, and only then, trust
DevOps does have a security consideration. However, according to a DevSecOps Community Survey, only 27% of organizations conduct app security analysis at every stage of the software development process. With DevSecOps, you perform tests to identify security issues throughout the entire development lifecycle.
Since DevOps is all about speed of delivery, adding the security layer does not mean you have to compromise on speed. Embedding automated security controls and tests early in the development cycle and into workflows ensure that the speed of delivery does not fail at the altar of security.
You will also need to look at automation tools, attack modeling tools, visualization tools, and alerting tools to ensure that even the most hazardous vulnerabilities are addressed proactively.
It also makes sense to automate security controls and tests since organizations are pushing new versions of code into production several times per day for a single app. Without automation, it will be impossible to succeed.
Evaluate core dependencies
Enterprises today are using more open-source software in applications. A survey by Black Duck Software showed that 6 in 10 of the applications made with open-source components contained known security vulnerabilities in those components.
We understand that open-source use has been key to wide-scale DevOps adoption as it allows developers to assemble applications, rather than develop them entirely from scratch. But do developers have the bandwidth to review code in their open-source libraries or read the documentation? In most cases, no.
This makes code dependency checks essential in DevSecOps. Checks such as OWASP Dependency that scans your code and dependent open-source component libraries see if they contain any key OWASP flaws. These checks ensure that you do not use code with known vulnerabilities.
Source Code Analysis Tools (SAST) allows developers to scan code as they write it and receive instant feedback on issues that can cause security threats. It then becomes easier to remediate potential security vulnerabilities as a part of the normal workflow and hence form an integral part of the DevSecOps practice.
However, to introduce such tools successfully, it makes the most sense to start small. Instead of turning on checks for a slew of security issues it may be better to turn on one or two security checks at a time. This helps developers get accustomed to the idea of having security rules incorporated into their workflow. Instead of disrupting everything, start small, allow the developers to see how the tools help them catch coding errors and reduce conflicts between development and security teams.
In conclusion, we’d like to say that creating a culture where everyone has the ‘security mindset’ cannot be achieved overnight. You have to work towards increasing the team’s collective security IQ. It is necessary to help them understand the attacker’s perspective and increase their threat intelligence.
Developing this security mindset will ensure that you have less complex problems to fix, your issues will get resolved faster, you will be able to deliver secure features faster and will get more time to add more value to your product as well as provide more stable operating environments.
Of course, it will take a little time to perfect your DevSecOps methodology. It might seem you are slowing down initially. But sometimes, you need to slow down to move faster.