Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/1/2017
02:00 PM
Brent Midwood
Brent Midwood
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security & Development: Better Together

How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.

For organizations trying to accelerate their product go-to-market, DevOps has transformed application development. By knocking down the wall between development and operations it’s now possible to release incremental changes more often. The bad news is that security teams are not equipped to move as quickly, and are falling behind. For security teams looking for best practices to keep up, DevSecOps is the answer.

Unfortunately, enterprise security teams don’t have a great reputation among developers. That’s because their responsibility is to focus on all the things that can go wrong which typically forces them to act as a bottleneck. Last fall, Gartner analysts found that 77 percent of IT professionals believe security teams cannot keep up with the speed required for DevOps. To change that perception, security professionals need to be faster, more efficient, and more adaptable to change. In short, security needs to adopt DevOps.

To be clear, DevOps practices plus security practices does not equal DevSecOps. Rather, DevSecOps is delivery of security as code, and the adoption of the values proposed by the DevSecOps community can be used to create DevOps-like practices that allow security teams to gain the same advantages that development and operations teams enjoy.

Automation is key to making developers and operations work faster. Security teams can use automation to improve visibility throughout the application lifecycle, integrate security tools and processes into the developer workflow, and continuously test applications for vulnerabilities, configuration issues, and policy violations.

Continuous Visibility
Security professionals often lack visibility into the output of the development cycle. They don’t see changes to code or the operational stack, and they don’t have insight into the tools and processes that are being used to deliver the code. Security controls pointed at a DevOps cycle or a rapid traditional software development life cycle (SDLC) can degrade quickly as the infrastructure and applications change in the course of normal development. A CISO at a large bank recently said he had “zero” visibility into the effect of DevOps on his organization’s security posture, and, DevOps aside, he’s not alone.  

By valuing proactive security monitoring over reacting to post-incident information, security teams can implement automated tools and techniques to create visibility into a development team’s delivery pipeline that can inform them of infrastructure and code changes. Simple integrations with source control and infrastructure change tracking systems are low-hanging fruit to help with the visibility problem.

Integrating Security into the Development Team
The challenges don’t end with visibility. Even if security teams are able to proactively identify areas of change introduced by development, there may be no time to execute time-consuming code analysis scanning or other techniques to identify new vulnerabilities associated with every release from the development team.

By valuing open contribution and collaboration over security-only requirements, security teams can gain visibility into all processes that are part of the development lifecycle. For example, involving the security team during a design phase, having a security champion on the development team, and educating and empowering them to adapt the SDLC can help prevent small problems such as an out-of-date library or a common vulnerability, while maturing the overall process to anticipate larger architectural security risks.

Automation & Continuous Validation
Continuous visibility that finds the issues, and integration of security requirements into the SDLC is a start, but DevSecOps won’t work if security tools and processes aren’t automated within the build, test, and release activities of the development team.

By valuing consumable security services with APIs over mandated security controls and paperwork, security teams can achieve a set of DevSecOps practices that match the speed and agility that DevOps teams enjoy, practices that might include:

  • Security delivered as a code, which would provide self-service vulnerability scans, and up-to-date catalogs of open source components so that developers are less likely to introduce vulnerabilities.
  • When possible, create master virtual machine images with built-in security controls and a hardened operating system so that whenever a developer spins up a new instance, the security defenses are already in place.
  • If you’re in an industry with compliance requirements, such as healthcare, legal services, or financial services, automate checks into a staging environment, or build a system to ensure compliance when new applications and infrastructure are deployed.
  •  Automate security-related activities, such as patching and configuration management, to minimize the potential for mistakes and reduce the time spent on these tasks. For example, an elastic load balancer can automatically shut down a handful of servers, spin up new instances from an updated master image, and keep repeating the process until all servers have been updated with the latest patches. This is how Amazon managed to patch all servers in its sprawling environment in under 24 hours when Heartbleed was discovered.

DevSecOps removes the silos between security and the rest of the development team so they all work together at the same speed. Communication is critical to cross-functional cooperation and better understanding of activities across different groups. Security professionals will see their roles change for the better as they adopt DevSecOps practices, as security questions are addressed at each stage of the lifecycle, not treated as an afterthought. CISOs need to lead the effort to establish DevSecOps practices in their enterprises. If they drive a partnership between security and development, then security will be able to keep up with the front of the pack.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

Brent Midwood is a hands-on technologist, cybersecurity leader, and product manager with 15 years of cybersecurity and information assurance experience. As director of product management at AttackIQ, he defines and drives product strategy and execution at the company. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...