It’s true to say that development operations (DevOps) has proven a force to be reckoned with, driving cultural revolution in which the creation and deployment of software and services happen at an extremely accelerated pace.
By reducing time to market, organisations can introduce new services quickly, making it possible to outpace competitors and/or offer competitive advantage. Organisations have realised other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps. More recently, the DevOps model has also proved valuable, driving digital transformation through the rapid delivery of new software products and services.
However, it’s not all been plain sailing as DevOps has largely taken place outside the purview of the security team — often without its knowledge or involvement. As a result, security teams struggle to keep pace, or even more seriously, have not been engaged at all.
Security leaders want to achieve security and stability, while in contrast, DevOps thrives on fast-moving development cycles, focusing on agility, experimentation and adaptation to change. As a result, security tends to only be considered at the concluding phases of software development, limiting the effectiveness of any measures as afterthoughts. The result is that DevOps and cybersecurity struggle to find a common ground.
But it doesn’t have to be this way. Collaboration between DevOps and security presents the perfect opportunity to move from a reactionary response to one where safeguards, proactive testing and prevention are automatically integrated throughout the development lifecycle.
DevSecOps: the key to security
Traditionally, security teams often detect vulnerabilities at the end of the software development cycle. This approach reduces the speed-to-market strategy and can even result in wasted coding time.
Instead, a security-minded “DevSecOps” approach incorporates security earlier in the development planning process. Teams should focus on problem prevention, rather than late problem detection. This helps both teams work more efficiently and effectively.
Understanding the role of containers in security
Containers transform how software is packaged in order to dramatically accelerate and simplify application development and deployment while lowering operational costs and increasing innovation. On the flipside, containers may also create a major cyber exposure gap due to their short lifespans. This makes containers difficult to detect using traditional scanning approaches. They are also hard to assess for security issues and remediation requires different tactics compared to the more traditional IT approach.
One key way for security leaders to work with DevOps is to integrate vulnerability assessment and remediation into what are known as Continuous Integration and Continuous Deployment (CI/CD) cycles. This ensures that all new container images are tested for security issues during the quality assurance (QA) phase of the DevOps lifecycle, alongside other tests such as unit and integration testing. Building security early into DevOps is a huge win for cybersecurity effectiveness.
Test and automate wherever possible
Many organisations with strong DevOps processes generate dozens if not hundreds of software updates daily. In these environments, relying on manual processes makes it tedious and even impossible for security to keep up. Instead, security tests should be triggered automatically with every build change or as new vulnerabilities are discovered. Automation ensures that high levels of security exist across all areas of DevOps, not only as a seamless part of a developer’s integrated development environment (IDE), but also within the CI/CD toolchain.
Proactive prevention beats last minute detection
When security is embedded from the inside out, it’s harder for threat actors to be successful. Proactively addressing and remediating vulnerabilities early in the development cycle saves time and money compared to remediating vulnerabilities in production. It typically costs 2-3x more to remediate security defects after release compared to pre-release QA testing. The old adage is certainly true in security: An ounce of prevention is worth a pound of cure.
Evaluate and analyse current practices
Procedural guides are helpful in creating a framework that ensures best practices are upheld. This keeps things simple, concise, and offers reliability, along with predictability and operational efficiency. At the same time, creating a culture of security best practices — such as empowering senior developers — is critical. They should be empowered to keep records of reviews, deployments, and coding methods to ensure security best practices are adhered to properly.
It is also important that developers use sanctioned software components and images from registries and repositories that have been tested and approved by the security team. Practice makes perfect. Teams should revisit and evaluate frameworks and processes at least twice a year. This increases the team’s ability to address complex DevSecOps concerns.
Everyone must be a part of security
The digital-driven business demands speed to stay competitive in the market. As IT attempts to keep up, and digital transformation continues to power on, security teams and developers must reinvent the way they think and work together. This includes ensuring that the whole organisation and its business stakeholders are aligned.
With business and change moving quickly, an expanded number of risks has been created. Fortunately, if DevOps and security teams work together, there is hope for preventing most critical risk from causing harm. By collaborating more effectively internally from the beginning, organisations will have greater security without compromising efficient business operations.
Adam Palmer
Chief Cybersecurity Strategist, Tenable