DevSecOps: Aligning Conflicting Priorities to Combine Forces
DevOps and security teams have historically been known to work in silos until the end of the development process, resulting in friction between both teams. This is because security is often an afterthought in a race to roll out products and services to market, not leaving enough time to address the potential vulnerabilities that may arise. Organizations that effectively meld DevOps and cybersecurity can shift security from an afterthought to a proactive practice and reduce the Cyber Exposure gap.
The benefits of DevOps are undeniable - increased speed, rapid experimentation and continuous change are now guiding operating tenets to succeed in this competitive market. Unfortunately, cybersecurity has been largely absent in the DevOps conversation despite the growing risks and high-profile breaches over the past several years. This incongruence between DevOps and cybersecurity teams is a symptom of one of the longest standing disconnects in IT history. This includes the differing and often clashing cultural roots, vocabularies and processes of developers and cybersecurity professionals.
DevOps teams are used working with agile and fast development cycles whereas security professionals are trained to focus on control and stability. To further complicate things, security tends to be brought into the picture at the final stages of the development cycle. To overcome challenges relating to speed, poor visibility, and limited resources, security teams must set their differences aside and collaborate with DevOps from the beginning of the development cycle, not the other way round.
Traditionally, security teams have a reputation of detecting vulnerabilities at the tail end of the development cycle. This way of working not only tarnishes the credibility of the product or service from a security perspective but often results in halting the speed-to-market strategy and hours of coding down the drain.
DevSecOps is the philosophy of integrating security practices within the DevOps process. Security leaders can change the ways of working by shifting left to include security processes earlier in the app development planning process. Focusing on ongoing problem prevention rather than late problem detection helps both teams work efficiently.
Understanding the role of containers
One way of making the shift to work seamlessly with DevOps team is to understand the role of containers in application development. Containers transform how software is packaged in order to dramatically accelerate and simplify application development and deployment while lowering operational costs, and increasing innovation. On the flipside, containers also create a major Cyber Exposure gap. Containers have short lifespans, making them difficult to detect using traditional scanning approaches. On top of that, they're hard to assess for security issues, and container remediation requires a different approach compared to traditional IT.
One key way for security leaders to work with DevOps is to integrate vulnerability assessment and remediation into what are known as Continuous Integration and Continuous Deployment (CI/CD) systems. This ensures that all new container images are tested for security issues during the quality assurance (QA) phase of the DevOps lifecycle, alongside other tests such as unit and integration testing. Building security into DevOps is a huge win for cybersecurity effectiveness.
Test and automate wherever possible
Many organizations with strong DevSecOps processes generate dozens if not hundreds of software updates daily. In these environments, relying on manual processes makes it tedious and even impossible for security to keep up. Instead, security tests should be triggered automatically with every build change or as new vulnerabilities are discovered. Automation compensates by ensuring that high levels of security exist across all areas of DevOps, not only as a seamless part of a developer’s integrated development environment (IDE), but also within the CI/CD toolchain.
Proactive prevention trumps last-minute detection
When security is embedded from the inside out, it’s harder for nefarious actors to break in. Therefore, proactively addressing and remediating vulnerabilities early on in the development cycle saves time and money compared to remediating in production. It typically costs 2-3x more to remediate security defects after release compared to pre-release QA testing. The old adage is certainly true in security: An ounce of prevention is worth a pound of cure.
Evaluate and analyze current practices
Procedural documents are helpful in creating a framework that ensures best practices are upheld. It keeps things simple, concise and offers reliability, predictability and operational efficiency. At the same time, creating a culture of security best practices like empowering senior developers to keep records on reviews, deployments and coding methods ensure security best practices are adhered. It is also important that developers use sanctioned software components and images from registries and repos that have been tested and approved by cybersecurity. Practice makes perfect so revisiting and evaluating these frameworks and processes at least twice a year increases the team’s ability to address complex DevSecOps concerns.
Everyone must be a part of security
The increased speed of IT fuelled by digital transformation is fundamentally changing how security and developers think and work. However, greater connectivity and faster production pressures can lead to increased risks. The collaboration between DevOps and security teams allows organizations to achieve agility without jeopardizing security, stability and governance. Ensuring effective safeguards at the beginning of the development cycle requires an organization-wide cultural shift and a new mindset in which cybersecurity becomes the responsibility of all stakeholders.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house
Diwakar Dayal, a passionate cybersecurity enthusiast, brings 20 years of experience in IT business management, sales, channel development of advanced technology solutions and services in cyber security and networking within APJ & GC region. Dayal also has start-up experience of developing new LOBs & small teams in MNCs including ideation, strategy, business development, eco-system leverage, scaling up & execution. He is a public speaker & evangelist when it comes to ‘Security’.