Operations

6/1/2017
02:00 PM
Brent Midwood
Brent Midwood
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security & Development: Better Together

How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.

For organizations trying to accelerate their product go-to-market, DevOps has transformed application development. By knocking down the wall between development and operations it’s now possible to release incremental changes more often. The bad news is that security teams are not equipped to move as quickly, and are falling behind. For security teams looking for best practices to keep up, DevSecOps is the answer.

Unfortunately, enterprise security teams don’t have a great reputation among developers. That’s because their responsibility is to focus on all the things that can go wrong which typically forces them to act as a bottleneck. Last fall, Gartner analysts found that 77 percent of IT professionals believe security teams cannot keep up with the speed required for DevOps. To change that perception, security professionals need to be faster, more efficient, and more adaptable to change. In short, security needs to adopt DevOps.

To be clear, DevOps practices plus security practices does not equal DevSecOps. Rather, DevSecOps is delivery of security as code, and the adoption of the values proposed by the DevSecOps community can be used to create DevOps-like practices that allow security teams to gain the same advantages that development and operations teams enjoy.

Automation is key to making developers and operations work faster. Security teams can use automation to improve visibility throughout the application lifecycle, integrate security tools and processes into the developer workflow, and continuously test applications for vulnerabilities, configuration issues, and policy violations.

Continuous Visibility
Security professionals often lack visibility into the output of the development cycle. They don’t see changes to code or the operational stack, and they don’t have insight into the tools and processes that are being used to deliver the code. Security controls pointed at a DevOps cycle or a rapid traditional software development life cycle (SDLC) can degrade quickly as the infrastructure and applications change in the course of normal development. A CISO at a large bank recently said he had “zero” visibility into the effect of DevOps on his organization’s security posture, and, DevOps aside, he’s not alone.  

By valuing proactive security monitoring over reacting to post-incident information, security teams can implement automated tools and techniques to create visibility into a development team’s delivery pipeline that can inform them of infrastructure and code changes. Simple integrations with source control and infrastructure change tracking systems are low-hanging fruit to help with the visibility problem.

Integrating Security into the Development Team
The challenges don’t end with visibility. Even if security teams are able to proactively identify areas of change introduced by development, there may be no time to execute time-consuming code analysis scanning or other techniques to identify new vulnerabilities associated with every release from the development team.

By valuing open contribution and collaboration over security-only requirements, security teams can gain visibility into all processes that are part of the development lifecycle. For example, involving the security team during a design phase, having a security champion on the development team, and educating and empowering them to adapt the SDLC can help prevent small problems such as an out-of-date library or a common vulnerability, while maturing the overall process to anticipate larger architectural security risks.

Automation & Continuous Validation
Continuous visibility that finds the issues, and integration of security requirements into the SDLC is a start, but DevSecOps won’t work if security tools and processes aren’t automated within the build, test, and release activities of the development team.

By valuing consumable security services with APIs over mandated security controls and paperwork, security teams can achieve a set of DevSecOps practices that match the speed and agility that DevOps teams enjoy, practices that might include:

  • Security delivered as a code, which would provide self-service vulnerability scans, and up-to-date catalogs of open source components so that developers are less likely to introduce vulnerabilities.
  • When possible, create master virtual machine images with built-in security controls and a hardened operating system so that whenever a developer spins up a new instance, the security defenses are already in place.
  • If you’re in an industry with compliance requirements, such as healthcare, legal services, or financial services, automate checks into a staging environment, or build a system to ensure compliance when new applications and infrastructure are deployed.
  •  Automate security-related activities, such as patching and configuration management, to minimize the potential for mistakes and reduce the time spent on these tasks. For example, an elastic load balancer can automatically shut down a handful of servers, spin up new instances from an updated master image, and keep repeating the process until all servers have been updated with the latest patches. This is how Amazon managed to patch all servers in its sprawling environment in under 24 hours when Heartbleed was discovered.

DevSecOps removes the silos between security and the rest of the development team so they all work together at the same speed. Communication is critical to cross-functional cooperation and better understanding of activities across different groups. Security professionals will see their roles change for the better as they adopt DevSecOps practices, as security questions are addressed at each stage of the lifecycle, not treated as an afterthought. CISOs need to lead the effort to establish DevSecOps practices in their enterprises. If they drive a partnership between security and development, then security will be able to keep up with the front of the pack.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

Brent Midwood is a hands-on technologist, cybersecurity leader, and product manager with 15 years of cybersecurity and information assurance experience. As director of product management at AttackIQ, he defines and drives product strategy and execution at the company. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.