Cloud

2/27/2019
10:30 AM
Sam Bocetta
Sam Bocetta
Commentary
50%
50%

Embracing DevSecOps: 5 Processes to Improve DevOps Security

In the cyber threat climate of the 21st century, sticking with DevOps is no longer an option.

In 2016, about eight years following the birth of DevOps as the new software delivery paradigm, Hewlett Packard Enterprise released a survey of professionals working in this field. The goal of the report was to gauge application security sentiment, and it found nearly 100% of respondents agreed that DevOps offers opportunities to improve overall software security.

Something else that the HPE report revealed was a false sense of security among developers since only 20% of them actually conducted security testing during the DevOps process, and 17% admitted to not using any security strategies before the application delivery stage.

Another worrisome finding in the HPE report was that the ratio of security specialists to software developers in the DevOps world was 1:80. As can be expected, this low ratio had an impact among clients that rely on DevOps because security issues were detected during the configuration and monitoring stages, thereby calling into question the efficiency of DevOps as a methodology.

This 1:80 ratio has been considerably improved since the HPE report thanks to sharp observations by the likes of John Meakin, former chief security officer at Burberry, who pointed out that a commitment to DevOps security was required from the upper echelons of organizations down to the managers who are in charge of hiring DevOps professionals.

How the DevSecOps Model Is Supposed to Work
There was a time when IT security and compliance were business processes that could be managed separately, but this is no longer reasonable or sustainable. According to a recent Deloitte Insights report related to DevOps, most enterprise organizations have no choice but to adopt DevSecOps models because failure to do so has a high potential of turning into major headaches.

Imagine a major retailer such as Burberry sticking with DevOps instead of DevSecOps. We are talking about a company that is constantly upgrading its point-of-sale systems for the purpose of keeping up with payment technologies such as near-field communication (NFC) contactless payments. Let's say the new Burberry POS is coded, built, tested, packaged, released, and configured without checking if NFC transactions are being conducted with General Data Protection Regulation (GDPR) compliance in mind.

The last thing the legal department would want to learn is that thousands of point-of-sale transactions ran afoul of GDPR on the eve of Brexit. Aside from the headache of reporting the issue to the Information Commissioner's Office, the DevOps team would have to check how far back into the process it needs to go in order to correct the issue.

Image by Mginise [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]
Image by Mginise [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)]

Add DevSecOps and Stir
DevOps is all about automation and agility, but ignoring security can be costly. How costly? According to Microsoft, hacks result in a global cumulative expense of $500 billion in recovery. According to the report, data breach or hack costs the average company $3.8 million. That adds a big chunk to the cost of doing business for infected organizations, especially when you consider that 43% of cyberattacks target small and medium-sized businesses and more than half have zero security budget.

Where should DevOps teams start? First and foremost, following basic security procedures such as using enterprise firewalls, regularly auditing server logs, and mandating employee VPN usage. Surprisingly, only 30% of global users use a VPN for work on a daily basis. This means that in the majority of the cases, private company data is transmitted across public networks unencrypted and available to enterprising hackers.

One example of a company that had an infamous data breach due to employees using VPNs improperly was Ashley Madison.  Hackers said in a statement, "Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the Internet to VPN to root on all servers." Using a VPN allows your private data to be encrypted but if a hacking group can access the VPN by using a password anyone can guess, it's pretty useless.

VPN usage notwithstanding, what happens when DevOps teams, as a safety precaution, enable traffic-logging during the testing stage and forget to disable it before release? If a VPN service keeps log files against its own terms of service, it puts user data at risk and could incur class-action lawsuits or damage reputation.

In essence, the DevSecOps model brings security and compliance experts into the team through the following five processes:

  1. Holistic security approach: This may not be easy to implement, but it is worth every effort. A DevOps team should bring in compliance and security personnel at the beginning and end of every step. The first interaction is to brief developers and the second is to check the work for the purpose of deeming it secure and compliant.
  2. Evaluation before automation: DevSecOps does not have to sacrifice automated processes; it only needs to audit them before they are implemented.
  3. Risk-oriented "what-if" scenarios: This is another DevSecOps process that may not be easy to introduce to an existing team of developers. Security and compliance professionals tend to operate in what-if environments that may cause friction with developers who observe actionable insights. One recommendation in this regard is to get HR involved and figure out team-building activities to break the ice and forge friendly bonds.
  4. Security-as-code: Whenever continuous delivery is sought, changes will be introduced, and this is where security-as-code comes into play. This process will need at least one or more security specialists who are comfortable with coding because they will have to apply threat modeling, functional testing, simulated attacks, and incident response strategies.
  5. Bug bounty programs: Assuming that DevSecOps team members are being trained on security topics, a bug bounty program with attractive rewards can be a smart and fun way to get everyone into a security state of mind.

In the end, the cyber threat climate of the 21st century is what makes DevSecOps a necessity and not something that would be nice to have. Embracing DevSecOps makes sense. Ignoring this emerging paradigm is simply too risky.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10743
PUBLISHED: 2019-03-23
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
CVE-2019-9947
PUBLISHED: 2019-03-23
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) follo...
CVE-2019-9948
PUBLISHED: 2019-03-23
urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.
CVE-2019-9945
PUBLISHED: 2019-03-23
SoftNAS Cloud 4.2.0 and 4.2.1 allows remote command execution. The NGINX default configuration file has a check to verify the status of a user cookie. If not set, a user is redirected to the login page. An arbitrary value can be provided for this cookie to access the web interface without valid user...
CVE-2019-9942
PUBLISHED: 2019-03-23
A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the __toString() method on an object even if not allowed by the security policy in place.