Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

5/20/2019
10:20 AM
Tim Woods
Tim Woods
Tim Woods
50%
50%

DevSecOps Enables Security to Finally Move at the Speed of the Business

In the DevSecOps model, security teams are fully integrated into the DevOps process.

Until recently, security was a "bolt-on" or an afterthought -- if a thought at all -- in the DevOps process. It's easy to understand why. Application development has dramatically improved in speed and quality through the adoption of DevOps, agile development and continuous deployment initiatives, while security still relies on manual processes that just can't keep up with the pace of deployment and change. This leaves DevOps teams with two options: 1) deploy applications as quickly as possible and worry about security later; or 2) slow down development and deployment cycles while security adds the necessary policies and access controls. It should come as no surprise that speed usually wins over security, and applications are often deployed before they can be fully secured.

We usually see security issues play out in the DevOps process in two ways:

  • Application developers neglect to prioritize secure coding in their applications.
  • DevOps teams deploy applications in the cloud without following proper security policies and access controls, or without having the appropriate skills to configure cloud security. This is why headlines, of late, have been dominated by news of cloud data breaches, leaky buckets and unauthorized access to personally identifiable information.

Ongoing security issues such as these, in combination with stringent new compliance requirements, such as the General Data Protection Regulation (GDPR), have prompted organizations to take a closer look at security in the DevOps process. Development and operations teams are moving beyond simply asking, "how can I serve up data and applications in a way that is easy for my users to consume?," to asking "how can I securely serve up data and applications in a way that is easy for my users to consume?" The answer is DevSecOps.

Benefits of DevSecOps
In the DevSecOps model, security teams are fully integrated into the DevOps process -- from design, development and code quality assurance, to deployment and support processes -- so they can embed security functions and controls throughout the application development cycle.

DevSecOps is a fairly new trend, but one that more organizations are adopting. According to FireMon's recent State of Hybrid Cloud Security Survey, 30.7% of the survey's respondent base of more than 400 information security professionals said they are part of the DevOps team, as part of the emerging DevSecOps trend. And the DevSecOps adoption rate will only continue to accelerate.

In addition to reducing risk, DevSecOps does two very important things. First, it moves security from the backburner to the forefront of DevOps initiatives, ensuring "security by design and default." In other words, security becomes part of the overall DevOps workflow, rather than being a road block or an afterthought.

Second, with the help of a policy orchestration platform, DevSecOps facilitates collaboration between development, operations and security teams. This is important because it allows all stakeholders to work together to develop security policies and establish security guardrails around application deployment that align business intent, operations intent, and security and compliance intent. Teams that once worked in isolation are now collaborating on a regular basis to strengthen DevOps security.

Automated policy management
There's one other important thing to consider when it comes to successfully executing a DevSecOps model. Policy management and security capabilities must be automated, or DevOps teams will find themselves, once again, mired in the "business demands vs. security requirements" issue.

In today's dynamic business environments, new networking technologies and development processes are implemented all the time, and user access requests are constantly changing. It's impossible for security teams to keep up with the pace of change if they're still manually writing security rules. Not to mention, these labor-intensive processes slow development and deployment, and frustrate DevOps teams.

With automated policy management, the right access controls are automatically applied to applications based on pre-defined business, security and compliance intent -- regardless of how they change or move -- so security can keep up with DevOps demands. The ability to automatically generate security rules also provides DevOps and business leaders with the ability to grant user access when needed, while remaining within the confines of defined security and compliance policies -- resulting in "self-service" security.

Security at the speed of business
DevOps, cloud computing and other digital transformation initiatives are causing business initiatives to accelerate faster than security teams' ability to security them. DevSecOps offers organizations the opportunity to break free from this vicious cycle by making security a priority, uniting all stakeholders around common security policies, and automating policy management. Only then can DevOps teams take advantage of next-gen technologies and processes without introducing added risk. And only then can security teams move at the speed of development, operations and the business.

Tim Woods is VP of Technology Alliances at FireMon. He brings more than 20 years of security experience to his role as VP of Technology Alliances at FireMon. Tim's passion for security grew during his eight years serving the Naval Intelligence Community and continued to grow as he assumed roles at several successful security startups and at Nokia Enterprise Solutions.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.