Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/20/2019
10:20 AM
Tim Woods
Tim Woods
Tim Woods
50%
50%

DevSecOps Enables Security to Finally Move at the Speed of the Business

In the DevSecOps model, security teams are fully integrated into the DevOps process.

Until recently, security was a "bolt-on" or an afterthought -- if a thought at all -- in the DevOps process. It's easy to understand why. Application development has dramatically improved in speed and quality through the adoption of DevOps, agile development and continuous deployment initiatives, while security still relies on manual processes that just can't keep up with the pace of deployment and change. This leaves DevOps teams with two options: 1) deploy applications as quickly as possible and worry about security later; or 2) slow down development and deployment cycles while security adds the necessary policies and access controls. It should come as no surprise that speed usually wins over security, and applications are often deployed before they can be fully secured.

We usually see security issues play out in the DevOps process in two ways:

  • Application developers neglect to prioritize secure coding in their applications.
  • DevOps teams deploy applications in the cloud without following proper security policies and access controls, or without having the appropriate skills to configure cloud security. This is why headlines, of late, have been dominated by news of cloud data breaches, leaky buckets and unauthorized access to personally identifiable information.

Ongoing security issues such as these, in combination with stringent new compliance requirements, such as the General Data Protection Regulation (GDPR), have prompted organizations to take a closer look at security in the DevOps process. Development and operations teams are moving beyond simply asking, "how can I serve up data and applications in a way that is easy for my users to consume?," to asking "how can I securely serve up data and applications in a way that is easy for my users to consume?" The answer is DevSecOps.

Benefits of DevSecOps
In the DevSecOps model, security teams are fully integrated into the DevOps process -- from design, development and code quality assurance, to deployment and support processes -- so they can embed security functions and controls throughout the application development cycle.

DevSecOps is a fairly new trend, but one that more organizations are adopting. According to FireMon's recent State of Hybrid Cloud Security Survey, 30.7% of the survey's respondent base of more than 400 information security professionals said they are part of the DevOps team, as part of the emerging DevSecOps trend. And the DevSecOps adoption rate will only continue to accelerate.

In addition to reducing risk, DevSecOps does two very important things. First, it moves security from the backburner to the forefront of DevOps initiatives, ensuring "security by design and default." In other words, security becomes part of the overall DevOps workflow, rather than being a road block or an afterthought.

Second, with the help of a policy orchestration platform, DevSecOps facilitates collaboration between development, operations and security teams. This is important because it allows all stakeholders to work together to develop security policies and establish security guardrails around application deployment that align business intent, operations intent, and security and compliance intent. Teams that once worked in isolation are now collaborating on a regular basis to strengthen DevOps security.

Automated policy management
There's one other important thing to consider when it comes to successfully executing a DevSecOps model. Policy management and security capabilities must be automated, or DevOps teams will find themselves, once again, mired in the "business demands vs. security requirements" issue.

In today's dynamic business environments, new networking technologies and development processes are implemented all the time, and user access requests are constantly changing. It's impossible for security teams to keep up with the pace of change if they're still manually writing security rules. Not to mention, these labor-intensive processes slow development and deployment, and frustrate DevOps teams.

With automated policy management, the right access controls are automatically applied to applications based on pre-defined business, security and compliance intent -- regardless of how they change or move -- so security can keep up with DevOps demands. The ability to automatically generate security rules also provides DevOps and business leaders with the ability to grant user access when needed, while remaining within the confines of defined security and compliance policies -- resulting in "self-service" security.

Security at the speed of business
DevOps, cloud computing and other digital transformation initiatives are causing business initiatives to accelerate faster than security teams' ability to security them. DevSecOps offers organizations the opportunity to break free from this vicious cycle by making security a priority, uniting all stakeholders around common security policies, and automating policy management. Only then can DevOps teams take advantage of next-gen technologies and processes without introducing added risk. And only then can security teams move at the speed of development, operations and the business.

Tim Woods is VP of Technology Alliances at FireMon. He brings more than 20 years of security experience to his role as VP of Technology Alliances at FireMon. Tim's passion for security grew during his eight years serving the Naval Intelligence Community and continued to grow as he assumed roles at several successful security startups and at Nokia Enterprise Solutions.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...