Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/1/2017
02:00 PM
Brent Midwood
Brent Midwood
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security & Development: Better Together

How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.

For organizations trying to accelerate their product go-to-market, DevOps has transformed application development. By knocking down the wall between development and operations it’s now possible to release incremental changes more often. The bad news is that security teams are not equipped to move as quickly, and are falling behind. For security teams looking for best practices to keep up, DevSecOps is the answer.

Unfortunately, enterprise security teams don’t have a great reputation among developers. That’s because their responsibility is to focus on all the things that can go wrong which typically forces them to act as a bottleneck. Last fall, Gartner analysts found that 77 percent of IT professionals believe security teams cannot keep up with the speed required for DevOps. To change that perception, security professionals need to be faster, more efficient, and more adaptable to change. In short, security needs to adopt DevOps.

To be clear, DevOps practices plus security practices does not equal DevSecOps. Rather, DevSecOps is delivery of security as code, and the adoption of the values proposed by the DevSecOps community can be used to create DevOps-like practices that allow security teams to gain the same advantages that development and operations teams enjoy.

Automation is key to making developers and operations work faster. Security teams can use automation to improve visibility throughout the application lifecycle, integrate security tools and processes into the developer workflow, and continuously test applications for vulnerabilities, configuration issues, and policy violations.

Continuous Visibility
Security professionals often lack visibility into the output of the development cycle. They don’t see changes to code or the operational stack, and they don’t have insight into the tools and processes that are being used to deliver the code. Security controls pointed at a DevOps cycle or a rapid traditional software development life cycle (SDLC) can degrade quickly as the infrastructure and applications change in the course of normal development. A CISO at a large bank recently said he had “zero” visibility into the effect of DevOps on his organization’s security posture, and, DevOps aside, he’s not alone.  

By valuing proactive security monitoring over reacting to post-incident information, security teams can implement automated tools and techniques to create visibility into a development team’s delivery pipeline that can inform them of infrastructure and code changes. Simple integrations with source control and infrastructure change tracking systems are low-hanging fruit to help with the visibility problem.

Integrating Security into the Development Team
The challenges don’t end with visibility. Even if security teams are able to proactively identify areas of change introduced by development, there may be no time to execute time-consuming code analysis scanning or other techniques to identify new vulnerabilities associated with every release from the development team.

By valuing open contribution and collaboration over security-only requirements, security teams can gain visibility into all processes that are part of the development lifecycle. For example, involving the security team during a design phase, having a security champion on the development team, and educating and empowering them to adapt the SDLC can help prevent small problems such as an out-of-date library or a common vulnerability, while maturing the overall process to anticipate larger architectural security risks.

Automation & Continuous Validation
Continuous visibility that finds the issues, and integration of security requirements into the SDLC is a start, but DevSecOps won’t work if security tools and processes aren’t automated within the build, test, and release activities of the development team.

By valuing consumable security services with APIs over mandated security controls and paperwork, security teams can achieve a set of DevSecOps practices that match the speed and agility that DevOps teams enjoy, practices that might include:

  • Security delivered as a code, which would provide self-service vulnerability scans, and up-to-date catalogs of open source components so that developers are less likely to introduce vulnerabilities.
  • When possible, create master virtual machine images with built-in security controls and a hardened operating system so that whenever a developer spins up a new instance, the security defenses are already in place.
  • If you’re in an industry with compliance requirements, such as healthcare, legal services, or financial services, automate checks into a staging environment, or build a system to ensure compliance when new applications and infrastructure are deployed.
  •  Automate security-related activities, such as patching and configuration management, to minimize the potential for mistakes and reduce the time spent on these tasks. For example, an elastic load balancer can automatically shut down a handful of servers, spin up new instances from an updated master image, and keep repeating the process until all servers have been updated with the latest patches. This is how Amazon managed to patch all servers in its sprawling environment in under 24 hours when Heartbleed was discovered.

DevSecOps removes the silos between security and the rest of the development team so they all work together at the same speed. Communication is critical to cross-functional cooperation and better understanding of activities across different groups. Security professionals will see their roles change for the better as they adopt DevSecOps practices, as security questions are addressed at each stage of the lifecycle, not treated as an afterthought. CISOs need to lead the effort to establish DevSecOps practices in their enterprises. If they drive a partnership between security and development, then security will be able to keep up with the front of the pack.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

Brent Midwood is a hands-on technologist, cybersecurity leader, and product manager with 15 years of cybersecurity and information assurance experience. As director of product management at AttackIQ, he defines and drives product strategy and execution at the company. Prior ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.