In 2016, about eight years following the birth of DevOps as the new software delivery paradigm, Hewlett Packard Enterprise released a survey of professionals working in this field. The goal of the report was to gauge application security sentiment, and it found nearly 100% of respondents agreed that DevOps offers opportunities to improve overall software security.
Something else that the HPE report revealed was a false sense of security among developers since only 20% of them actually conducted security testing during the DevOps process, and 17% admitted to not using any security strategies before the application delivery stage.
Another worrisome finding in the HPE report was that the ratio of security specialists to software developers in the DevOps world was 1:80. As can be expected, this low ratio had an impact among clients that rely on DevOps because security issues were detected during the configuration and monitoring stages, thereby calling into question the efficiency of DevOps as a methodology.
This 1:80 ratio has been considerably improved since the HPE report thanks to sharp observations by the likes of John Meakin, former chief security officer at Burberry, who pointed out that a commitment to DevOps security was required from the upper echelons of organizations down to the managers who are in charge of hiring DevOps professionals.
How the DevSecOps Model Is Supposed to Work
There was a time when IT security and compliance were business processes that could be managed separately, but this is no longer reasonable or sustainable. According to a recent Deloitte Insights report related to DevOps, most enterprise organizations have no choice but to adopt DevSecOps models because failure to do so has a high potential of turning into major headaches.
Imagine a major retailer such as Burberry sticking with DevOps instead of DevSecOps. We are talking about a company that is constantly upgrading its point-of-sale systems for the purpose of keeping up with payment technologies such as near-field communication (NFC) contactless payments. Let's say the new Burberry POS is coded, built, tested, packaged, released, and configured without checking if NFC transactions are being conducted with General Data Protection Regulation (GDPR) compliance in mind.
The last thing the legal department would want to learn is that thousands of point-of-sale transactions ran afoul of GDPR on the eve of Brexit. Aside from the headache of reporting the issue to the Information Commissioner's Office, the DevOps team would have to check how far back into the process it needs to go in order to correct the issue.
Add DevSecOps and Stir
DevOps is all about automation and agility, but ignoring security can be costly. How costly? According to Microsoft, hacks result in a global cumulative expense of $500 billion in recovery. According to the report, data breach or hack costs the average company $3.8 million. That adds a big chunk to the cost of doing business for infected organizations, especially when you consider that 43% of cyberattacks target small and medium-sized businesses and more than half have zero security budget.
Where should DevOps teams start? First and foremost, following basic security procedures such as using enterprise firewalls, regularly auditing server logs, and mandating employee VPN usage. Surprisingly, only 30% of global users use a VPN for work on a daily basis. This means that in the majority of the cases, private company data is transmitted across public networks unencrypted and available to enterprising hackers.
One example of a company that had an infamous data breach due to employees using VPNs improperly was Ashley Madison. Hackers said in a statement, "Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the Internet to VPN to root on all servers." Using a VPN allows your private data to be encrypted but if a hacking group can access the VPN by using a password anyone can guess, it's pretty useless.
VPN usage notwithstanding, what happens when DevOps teams, as a safety precaution, enable traffic-logging during the testing stage and forget to disable it before release? If a VPN service keeps log files against its own terms of service, it puts user data at risk and could incur class-action lawsuits or damage reputation.
In essence, the DevSecOps model brings security and compliance experts into the team through the following five processes:
- Holistic security approach: This may not be easy to implement, but it is worth every effort. A DevOps team should bring in compliance and security personnel at the beginning and end of every step. The first interaction is to brief developers and the second is to check the work for the purpose of deeming it secure and compliant.
- Evaluation before automation: DevSecOps does not have to sacrifice automated processes; it only needs to audit them before they are implemented.
- Risk-oriented "what-if" scenarios: This is another DevSecOps process that may not be easy to introduce to an existing team of developers. Security and compliance professionals tend to operate in what-if environments that may cause friction with developers who observe actionable insights. One recommendation in this regard is to get HR involved and figure out team-building activities to break the ice and forge friendly bonds.
- Security-as-code: Whenever continuous delivery is sought, changes will be introduced, and this is where security-as-code comes into play. This process will need at least one or more security specialists who are comfortable with coding because they will have to apply threat modeling, functional testing, simulated attacks, and incident response strategies.
- Bug bounty programs: Assuming that DevSecOps team members are being trained on security topics, a bug bounty program with attractive rewards can be a smart and fun way to get everyone into a security state of mind.
In the end, the cyber threat climate of the 21st century is what makes DevSecOps a necessity and not something that would be nice to have. Embracing DevSecOps makes sense. Ignoring this emerging paradigm is simply too risky.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.