Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/1/2017
02:00 PM
Brent Midwood
Brent Midwood
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Security & Development: Better Together

How DevSecOps removes the silos between security and application development teams so that everyone can work together at the same speed.

For organizations trying to accelerate their product go-to-market, DevOps has transformed application development. By knocking down the wall between development and operations it’s now possible to release incremental changes more often. The bad news is that security teams are not equipped to move as quickly, and are falling behind. For security teams looking for best practices to keep up, DevSecOps is the answer.

Unfortunately, enterprise security teams don’t have a great reputation among developers. That’s because their responsibility is to focus on all the things that can go wrong which typically forces them to act as a bottleneck. Last fall, Gartner analysts found that 77 percent of IT professionals believe security teams cannot keep up with the speed required for DevOps. To change that perception, security professionals need to be faster, more efficient, and more adaptable to change. In short, security needs to adopt DevOps.

To be clear, DevOps practices plus security practices does not equal DevSecOps. Rather, DevSecOps is delivery of security as code, and the adoption of the values proposed by the DevSecOps community can be used to create DevOps-like practices that allow security teams to gain the same advantages that development and operations teams enjoy.

Automation is key to making developers and operations work faster. Security teams can use automation to improve visibility throughout the application lifecycle, integrate security tools and processes into the developer workflow, and continuously test applications for vulnerabilities, configuration issues, and policy violations.

Continuous Visibility
Security professionals often lack visibility into the output of the development cycle. They don’t see changes to code or the operational stack, and they don’t have insight into the tools and processes that are being used to deliver the code. Security controls pointed at a DevOps cycle or a rapid traditional software development life cycle (SDLC) can degrade quickly as the infrastructure and applications change in the course of normal development. A CISO at a large bank recently said he had “zero” visibility into the effect of DevOps on his organization’s security posture, and, DevOps aside, he’s not alone.  

By valuing proactive security monitoring over reacting to post-incident information, security teams can implement automated tools and techniques to create visibility into a development team’s delivery pipeline that can inform them of infrastructure and code changes. Simple integrations with source control and infrastructure change tracking systems are low-hanging fruit to help with the visibility problem.

Integrating Security into the Development Team
The challenges don’t end with visibility. Even if security teams are able to proactively identify areas of change introduced by development, there may be no time to execute time-consuming code analysis scanning or other techniques to identify new vulnerabilities associated with every release from the development team.

By valuing open contribution and collaboration over security-only requirements, security teams can gain visibility into all processes that are part of the development lifecycle. For example, involving the security team during a design phase, having a security champion on the development team, and educating and empowering them to adapt the SDLC can help prevent small problems such as an out-of-date library or a common vulnerability, while maturing the overall process to anticipate larger architectural security risks.

Automation & Continuous Validation
Continuous visibility that finds the issues, and integration of security requirements into the SDLC is a start, but DevSecOps won’t work if security tools and processes aren’t automated within the build, test, and release activities of the development team.

By valuing consumable security services with APIs over mandated security controls and paperwork, security teams can achieve a set of DevSecOps practices that match the speed and agility that DevOps teams enjoy, practices that might include:

  • Security delivered as a code, which would provide self-service vulnerability scans, and up-to-date catalogs of open source components so that developers are less likely to introduce vulnerabilities.
  • When possible, create master virtual machine images with built-in security controls and a hardened operating system so that whenever a developer spins up a new instance, the security defenses are already in place.
  • If you’re in an industry with compliance requirements, such as healthcare, legal services, or financial services, automate checks into a staging environment, or build a system to ensure compliance when new applications and infrastructure are deployed.
  •  Automate security-related activities, such as patching and configuration management, to minimize the potential for mistakes and reduce the time spent on these tasks. For example, an elastic load balancer can automatically shut down a handful of servers, spin up new instances from an updated master image, and keep repeating the process until all servers have been updated with the latest patches. This is how Amazon managed to patch all servers in its sprawling environment in under 24 hours when Heartbleed was discovered.

DevSecOps removes the silos between security and the rest of the development team so they all work together at the same speed. Communication is critical to cross-functional cooperation and better understanding of activities across different groups. Security professionals will see their roles change for the better as they adopt DevSecOps practices, as security questions are addressed at each stage of the lifecycle, not treated as an afterthought. CISOs need to lead the effort to establish DevSecOps practices in their enterprises. If they drive a partnership between security and development, then security will be able to keep up with the front of the pack.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Related Content:

Brent Midwood is a hands-on technologist, cybersecurity leader, and product manager with 15 years of cybersecurity and information assurance experience. As director of product management at AttackIQ, he defines and drives product strategy and execution at the company. Prior ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.