Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/27/2019
10:30 AM
Sam Bocetta
Sam Bocetta
Commentary
50%
50%

Embracing DevSecOps: 5 Processes to Improve DevOps Security

In the cyber threat climate of the 21st century, sticking with DevOps is no longer an option.

In 2016, about eight years following the birth of DevOps as the new software delivery paradigm, Hewlett Packard Enterprise released a survey of professionals working in this field. The goal of the report was to gauge application security sentiment, and it found nearly 100% of respondents agreed that DevOps offers opportunities to improve overall software security.

Something else that the HPE report revealed was a false sense of security among developers since only 20% of them actually conducted security testing during the DevOps process, and 17% admitted to not using any security strategies before the application delivery stage.

Another worrisome finding in the HPE report was that the ratio of security specialists to software developers in the DevOps world was 1:80. As can be expected, this low ratio had an impact among clients that rely on DevOps because security issues were detected during the configuration and monitoring stages, thereby calling into question the efficiency of DevOps as a methodology.

This 1:80 ratio has been considerably improved since the HPE report thanks to sharp observations by the likes of John Meakin, former chief security officer at Burberry, who pointed out that a commitment to DevOps security was required from the upper echelons of organizations down to the managers who are in charge of hiring DevOps professionals.

How the DevSecOps Model Is Supposed to Work
There was a time when IT security and compliance were business processes that could be managed separately, but this is no longer reasonable or sustainable. According to a recent Deloitte Insights report related to DevOps, most enterprise organizations have no choice but to adopt DevSecOps models because failure to do so has a high potential of turning into major headaches.

Imagine a major retailer such as Burberry sticking with DevOps instead of DevSecOps. We are talking about a company that is constantly upgrading its point-of-sale systems for the purpose of keeping up with payment technologies such as near-field communication (NFC) contactless payments. Let's say the new Burberry POS is coded, built, tested, packaged, released, and configured without checking if NFC transactions are being conducted with General Data Protection Regulation (GDPR) compliance in mind.

The last thing the legal department would want to learn is that thousands of point-of-sale transactions ran afoul of GDPR on the eve of Brexit. Aside from the headache of reporting the issue to the Information Commissioner's Office, the DevOps team would have to check how far back into the process it needs to go in order to correct the issue.

Image by Mginise [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]
Image by Mginise [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

Add DevSecOps and Stir
DevOps is all about automation and agility, but ignoring security can be costly. How costly? According to Microsoft, hacks result in a global cumulative expense of $500 billion in recovery. According to the report, data breach or hack costs the average company $3.8 million. That adds a big chunk to the cost of doing business for infected organizations, especially when you consider that 43% of cyberattacks target small and medium-sized businesses and more than half have zero security budget.

Where should DevOps teams start? First and foremost, following basic security procedures such as using enterprise firewalls, regularly auditing server logs, and mandating employee VPN usage. Surprisingly, only 30% of global users use a VPN for work on a daily basis. This means that in the majority of the cases, private company data is transmitted across public networks unencrypted and available to enterprising hackers.

One example of a company that had an infamous data breach due to employees using VPNs improperly was Ashley Madison.  Hackers said in a statement, "Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the Internet to VPN to root on all servers." Using a VPN allows your private data to be encrypted but if a hacking group can access the VPN by using a password anyone can guess, it's pretty useless.

VPN usage notwithstanding, what happens when DevOps teams, as a safety precaution, enable traffic-logging during the testing stage and forget to disable it before release? If a VPN service keeps log files against its own terms of service, it puts user data at risk and could incur class-action lawsuits or damage reputation.

In essence, the DevSecOps model brings security and compliance experts into the team through the following five processes:

  1. Holistic security approach: This may not be easy to implement, but it is worth every effort. A DevOps team should bring in compliance and security personnel at the beginning and end of every step. The first interaction is to brief developers and the second is to check the work for the purpose of deeming it secure and compliant.
  2. Evaluation before automation: DevSecOps does not have to sacrifice automated processes; it only needs to audit them before they are implemented.
  3. Risk-oriented "what-if" scenarios: This is another DevSecOps process that may not be easy to introduce to an existing team of developers. Security and compliance professionals tend to operate in what-if environments that may cause friction with developers who observe actionable insights. One recommendation in this regard is to get HR involved and figure out team-building activities to break the ice and forge friendly bonds.
  4. Security-as-code: Whenever continuous delivery is sought, changes will be introduced, and this is where security-as-code comes into play. This process will need at least one or more security specialists who are comfortable with coding because they will have to apply threat modeling, functional testing, simulated attacks, and incident response strategies.
  5. Bug bounty programs: Assuming that DevSecOps team members are being trained on security topics, a bug bounty program with attractive rewards can be a smart and fun way to get everyone into a security state of mind.

In the end, the cyber threat climate of the 21st century is what makes DevSecOps a necessity and not something that would be nice to have. Embracing DevSecOps makes sense. Ignoring this emerging paradigm is simply too risky.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.