Digital technologies introduce remarkable opportunities to innovate and disrupt, but they also require organizations to significantly rethink and rewire internal development processes. One methodology that attempts to address this challenge is DevOps. It has moved into the mainstream over the last few years—nearly 90 percent of organizations now use the technique, according to business and IT consulting firm Capgemini.
The term, which combines the words “development” and “operations,” focuses on improving both the speed and quality of software development through a more automated, streamlined, and collaborative approach. DevOps allows organizations to act and react faster to changes in the marketplace and in technology through better coordination and automation. It also encompasses security tasks that IT operations and InfoSec (information security) operations have handled manually in the past.
Several factors are driving DevOps, including growth in dynamic provisioning, cloud computing models, and shared resources. “DevOps is perhaps the most important innovation that has hit the IT sector since the invention of the personal computer back in the early 1980s,” stated Rick Howard, chief security officer for Palo Alto Networks. “It is the recognition that software creation, deployment, updates, and maintenance are one big system of systems that needs to be managed that way.”
As organizations look to push out new products, services, and more, DevOps is critical. “The IT and business sides of the enterprise must be in sync,” according to David Newberry, principal for application services and platforms at Capgemini Consulting. Yet automating and improving processes doesn’t always yield the best results for security—even when a DevOps initiative encompasses security.
Too often, software development teams place security on the back burner in an attempt to update applications and mobile apps quickly. And as the pressure to speed the release of updates grows, the potential gaps and vulnerabilities multiply. Today, code quality cannot be measured by features and performance alone; it also encompasses code security. Errors, gaps, and glitches lead to an array of problems. Gartner reports that 75 percent of successful attacks occur as a result of known vulnerabilities with known patches and fixes. Here are some you might want to ask your security teams about:
- Injection attacks: This method relies on code vulnerabilities to trigger a breach. A specially crafted command allows an attacker to gain access to a system or database and make changes.
- Cross-site scripting: An infected site or webpage automatically downloads code that infects the system. This can lead to cyber crooks installing various types of malware on systems.
- Data leakage and theft: Subpar coding can result in data leakage or theft. This can occur as a result of poor or missing encryption techniques, or configuring applications and servers improperly. The result can be lost, destroyed, or manipulated data.
- Access controls and credentials: Anything less than strong authentication introduces risk to the enterprise. An organization must focus on limiting privileges to those who require access and ensuring that systems use strong passwords. There’s also a need for multi-factor authentication and, in some cases, biometric authentication.
- Open-source components: Development teams, particularly those working in DevOps environments, increasingly rely on open source components and libraries to streamline and speed projects. But without safeguards, teams might introduce vulnerabilities unknowingly. The recent Equifax breach reportedly hinged on open source code that hadn’t been updated.
A more secure approach
As the stakes grow and the risks increase, more and more organizations are adopting a security-centric approach to DevOps. As they look to speed internal processes but maintain a high level of protection, they’re turning to an approach called DevSecOps. Gartner analyst Neil MacDonald coined the term in 2012. DevSecOps aims to balance speed and flexibility of service delivery with a more secure approach that breaks down silos and promotes a framework that revolves around code consistency and security.
The approach focuses on several key areas, including: assessing security controls for the cloud and on-premise systems; understanding data types and sensitivity; analyzing existing controls; identifying gaps; and, finally, introducing controls that don’t get in the way of automated processes and fast delivery.
Industry security organization SANS Institute, in A DevSecOps Playbook, recommends shifting organizational thinking. “If security teams are going to be a core component of DevSecOps, they must impress upon development and operations that they can bring a series of tests and quality conditions to bear on production code pushes without slowing the process,” the report noted. “If security parameters and metrics are incorporated into development and test qualifications, then the chance for security to be involved in the processes for DevOps is much higher.”
Ultimately, according to the report, an organization must establish key parameters and critical qualifiers that have to be met before any code can be pushed forward or put into operation. To understand what code is secure and what code isn’t secure, it’s critical to use the right tools. The SANS Institute recommends security teams and developers use both static and dynamic scanning methods to detect and fix code flaws before they wind up in live applications. When application scanning tools are used in an automated way, it’s possible to spot issues in real time and fix them before breaches take place.
Locking down code
An effective DevSecOps framework also involves revamping processes and workflows. This may require code reviews, peer code reviews, whitelisting, and remediation guidance. There’s a need for security champions who can promote security and deliver help when and where it’s required. Finally, organizations must adopt a strong training framework that includes classroom learning, online learning, lunch-and-learn sessions, so-called “capture-the-flag” contests, bug bounty games, and other creative ways to shore up knowledge and adopt a more security-centric approach to DevOps.
Clearly, DevOps is here to stay. It’s helping organizations of all shapes and sizes take performance to a new level. At its best, it can unleash enormous progress and innovation. However, executive leadership must make certain that security is baked into the initiative from the code up, and developers and other key players fully understand their roles and responsibilities. Concluded Howard: “DevOps is the glue between all the systems. Security is at the center of an effective strategy.”