Operations

6/1/2017
02:00 PM
Brent Midwood
Brent Midwood
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security & Development: Better Together

How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.

For organizations trying to accelerate their product go-to-market, DevOps has transformed application development. By knocking down the wall between development and operations it’s now possible to release incremental changes more often. The bad news is that security teams are not equipped to move as quickly, and are falling behind. For security teams looking for best practices to keep up, DevSecOps is the answer.

Unfortunately, enterprise security teams don’t have a great reputation among developers. That’s because their responsibility is to focus on all the things that can go wrong which typically forces them to act as a bottleneck. Last fall, Gartner analysts found that 77 percent of IT professionals believe security teams cannot keep up with the speed required for DevOps. To change that perception, security professionals need to be faster, more efficient, and more adaptable to change. In short, security needs to adopt DevOps.

To be clear, DevOps practices plus security practices does not equal DevSecOps. Rather, DevSecOps is delivery of security as code, and the adoption of the values proposed by the DevSecOps community can be used to create DevOps-like practices that allow security teams to gain the same advantages that development and operations teams enjoy.

Automation is key to making developers and operations work faster. Security teams can use automation to improve visibility throughout the application lifecycle, integrate security tools and processes into the developer workflow, and continuously test applications for vulnerabilities, configuration issues, and policy violations.

Continuous Visibility
Security professionals often lack visibility into the output of the development cycle. They don’t see changes to code or the operational stack, and they don’t have insight into the tools and processes that are being used to deliver the code. Security controls pointed at a DevOps cycle or a rapid traditional software development life cycle (SDLC) can degrade quickly as the infrastructure and applications change in the course of normal development. A CISO at a large bank recently said he had “zero” visibility into the effect of DevOps on his organization’s security posture, and, DevOps aside, he’s not alone.  

By valuing proactive security monitoring over reacting to post-incident information, security teams can implement automated tools and techniques to create visibility into a development team’s delivery pipeline that can inform them of infrastructure and code changes. Simple integrations with source control and infrastructure change tracking systems are low-hanging fruit to help with the visibility problem.

Integrating Security into the Development Team
The challenges don’t end with visibility. Even if security teams are able to proactively identify areas of change introduced by development, there may be no time to execute time-consuming code analysis scanning or other techniques to identify new vulnerabilities associated with every release from the development team.

By valuing open contribution and collaboration over security-only requirements, security teams can gain visibility into all processes that are part of the development lifecycle. For example, involving the security team during a design phase, having a security champion on the development team, and educating and empowering them to adapt the SDLC can help prevent small problems such as an out-of-date library or a common vulnerability, while maturing the overall process to anticipate larger architectural security risks.

Automation & Continuous Validation
Continuous visibility that finds the issues, and integration of security requirements into the SDLC is a start, but DevSecOps won’t work if security tools and processes aren’t automated within the build, test, and release activities of the development team.

By valuing consumable security services with APIs over mandated security controls and paperwork, security teams can achieve a set of DevSecOps practices that match the speed and agility that DevOps teams enjoy, practices that might include:

  • Security delivered as a code, which would provide self-service vulnerability scans, and up-to-date catalogs of open source components so that developers are less likely to introduce vulnerabilities.
  • When possible, create master virtual machine images with built-in security controls and a hardened operating system so that whenever a developer spins up a new instance, the security defenses are already in place.
  • If you’re in an industry with compliance requirements, such as healthcare, legal services, or financial services, automate checks into a staging environment, or build a system to ensure compliance when new applications and infrastructure are deployed.
  •  Automate security-related activities, such as patching and configuration management, to minimize the potential for mistakes and reduce the time spent on these tasks. For example, an elastic load balancer can automatically shut down a handful of servers, spin up new instances from an updated master image, and keep repeating the process until all servers have been updated with the latest patches. This is how Amazon managed to patch all servers in its sprawling environment in under 24 hours when Heartbleed was discovered.

DevSecOps removes the silos between security and the rest of the development team so they all work together at the same speed. Communication is critical to cross-functional cooperation and better understanding of activities across different groups. Security professionals will see their roles change for the better as they adopt DevSecOps practices, as security questions are addressed at each stage of the lifecycle, not treated as an afterthought. CISOs need to lead the effort to establish DevSecOps practices in their enterprises. If they drive a partnership between security and development, then security will be able to keep up with the front of the pack.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

Brent Midwood is a hands-on technologist, cybersecurity leader, and product manager with 15 years of cybersecurity and information assurance experience. As director of product management at AttackIQ, he defines and drives product strategy and execution at the company. Prior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.