Security is a huge priority across organizations today, whether in the budget or the boardroom. But in order to mitigate growing threats, the actual process of how software is secured – and who is involved in securing it – needs to change.
While DevOps ushers in teamwork, coordination, agility and shared responsibility, it often takes an approach where security is bolted-on, not built-in.
“The alignment of development and operations teams has made it possible to build customized software and business functions far more quickly than before, but security teams continue to be left out of the DevOps conversation,” according to a SANS whitepaper published last year.
To bring security into the conversation, some organizations are implementing DevSecOps, an approach where security is built into the development process, automating core security tasks. According to its proponents, DevSecOps is more efficient and effective at spotting security vulnerabilities early in the life cycle so issues can be spotted before a hacker gets at them.
DevSecOps, a term introduced around five years ago, is described by Gartner as “an objective where security checks and controls are applied automatically and transparently throughout the development and delivery of IT-enabled services in rapid-development DevOps environments. Simply layering on standard security tools and processes won't work. Secure service delivery starts in development, and the most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle.”
With DevSecOps, Security “Radically Visible”
With 111 billion lines of new software code is created every year, there are billions of vulnerabilities need to be identified and remediated, according to a report by Code Dx and Cybersecurity Ventures. As code is shipped faster, security vulnerabilities can be easily missed using traditional approaches which rely too heavily on security experts.
“The way that we do security today is really inefficient, very reliant on experts like me,” Jeff Williams, co-founder and CTO of Contrast Security said in an interview with ITPro. Trying to use human experts to do all of the security work that will be required with these billion lines of software code would be painful, he said.
The legacy approach to security includes tools around static analysis and dynamic analysis that came out in the early 2000s and still require human expertise to implement effectively. Williams said these tools “haven’t reduced the need for experts in the process.” In DevSecOps, technologies need to be easy to use by developers with minimal intervention, he said.
One of those technologies is Williams’ own; he launched Contrast Security three years ago with co-founder and chief scientist Arshan Dabirsiaghi to provide security technology that enables software applications to protect themselves against cyberattacks. The company has grown quickly since its launch and is monitoring 10,000 applications for customers in financials, and three of the Fortune 10.
Williams is also a frequent speaker on DevSecOps, and will be speaking at the DevSecCon conference next week in Boston, where ITPro will be in attendance. Williams will present his talk on turning security into code on Monday.
He said that when a lot of experts talk about DevSecOps, they talk about it in a way where they are wedging security into DevOps.
“Shove in a tool here, do this legacy process as part of DevOps pipeline here,” he said. Instead, “we need to reinvent the way we practice security.”
What this means, according to Williams, is making security work visible, and break it down into pieces as DevOps has done with development. That way you are not just moving the bottleneck, but actually removing it through more automation.
Another element to DevSecOps is making sure that the pipeline is continually improving with “tight feedback loops around every stage” which ensures that when something goes off the rails, it can be remediated right away.
Real-time security visibility is important so everyone can see it and then create checks to make sure the work is on track, he said.
“As soon as you build software you should get feedback right away so you can fix the problem – before you find it in a pen test or God forbid a hacker finds it,” he said.
As part of this security posture, organizations must understand how they react to new vulnerabilities and get ahead of new threats, and how they build themselves in a resilient way.
DevSecOps organizations can do this by constantly changing their threat model, he said. “Who you think are your attackers are, constantly challenge that thing, encourage culture to constantly challenge that thing,” he said.
“We haven’t really got a culture of security experimentation and learning, security blame and hiding and reaction, and the only way to kill that culture for me [is DevSecOps],” he said. “Application security is getting worse despite the effort and work; although we are making slow progress the world of software is exploding.”
A perfect example of application security getting worse can be seen in the news this week with Equifax, who admitted to a breach of personal information - including SSNs - belonging to 143 million of its customers.
Experts are questioning how the credit reporting company secured personal information and what kinds of security measures were in place.
According to Brian Krebs at KrebsOnSecurity, “It’s unclear why Web applications tied to so much sensitive consumer data were left unpatched, but a lack of security leadership at Equifax may have been a contributing factor. Until very recently, the company was searching for someone to fill the role of vice president of cybersecurity, which according to Equifax is akin to the role of a chief information security officer (CISO).”
And while a thorough investigation is to come, one wonders if more security automation in the process could have caught it, over more manual, human-dependent approaches.
"Web Applications vulnerabilities continue to be a critical exposure for many large organizations. Attackers have gotten more sophisticated at probing for flaws in the underlying frameworks that many of these applications are built on top of which can lead to widespread security exposures even for organizations with mature security programs and secure coding practices in place," Mike Cotton, VP of research and development, Digital Defense said in a statement. "As companies continue to pursue more rapid application development capabilities they need to ensure their security program keeps pace and travels at a similar speed."