The twin trends of digital transformation projects and a growing reliance on cloud services are constantly pushing enterprises to develop, deploy and upgrade applications much faster... the better to keep up with competition and stay ahead of nimble upstarts looking for market share.
The clash between the two (faster application development while keeping code secure) is a tension that’s not easily solved. Over the last several years, the notion of DevSecOps, where security is baked into the software development lifecycle, has started to evolve into one methodology for helping IT and security teams overcome these conflicting priorities.
There is still, however, a significant way to go before the “security” in DevSecOps becomes an integrated part of the digital transformation and application development process.
An October 2019 report developed by 451 Research and sponsored by Synopsys found that “at most organizations, there are more application developers than there are information security professionals.” At the same time, 451 researchers stated that only 9 percent of security budgets are dedicated to application security... at a time when Verizon’s 2019 Data Breach Investigations Report found that over 60 percent of hacking attempts analyzed in the study targeted web applications.
The DevSecOps Cultural Shift
One reason that the security part of DevSecOps remains so difficult is the cultural shift that comes with it. After all, developers want to use DevOps to create new apps faster, deploy them and update as needed. Security teams are still seen as the “Department of No,” slowing down innovation over concerns that attackers are looking for weak points in code in order to penetrate the corporate network.
Absorbing these cultural changes is important; one way is for security teams to make a business case (both to the board and developer teams) to show why good cybersecurity hygiene is integral to the software development lifecycle, suggested Michelle McLean, vice president of product marketing at security firm StackRox.
“It's important to understand that developing DevSecOps means integrating security into DevOps practices, not the other way around. Integrating security into DevOps creates massive impact on the developer culture and what developers see as important,” McLean told Dice.
“To make this initiative successful, security must make the business case clear, so DevOps can more fully appreciate why security is critical to the mission of a company,” McLean added. “Security teams must take the initiative to learn and fit into DevOps culture, which, from a practical standpoint, means going into a situation where a fix is needed with a clear definition of what the problem is. However, rather than dictating a solution, security needs to have several options for addressing it and getting input, advice, and guidance from DevOps to jointly create the resolution.”
If it’s up to security teams to offer practical suggestions to the developers to ensure that good DevSecOps practices are being followed, there are three trends that will play an important role over the next 12 months.
Trend 1: Better Tooling
When it comes to DevSecOps, McLean notes, better use of tooling can help inform the entire app development process. Instead of only focusing on runtime detection, organizations need tooling, structure, and best practices that enable security to be incorporated across the application life-cycle, from build to deploy to run.
“In DevSecOps, it's just as important—arguably more important—to identify security gaps at build and deploy, such as [with] container and Kubernetes vulnerabilities and misconfigurations, as during runtime,” McLean said.
“It’s one thing to tell DevOps teams they have full stack responsibility and must incorporate security early in their build cycles. It's another to help them with the tooling to automatically pinpoint risky builds and risky deployments, leverage the context of Kubernetes to inform that risk prioritization, and integrate that feedback directly in continuous integration and continuous deployment (CI/CD) systems.”
Trend 2: Automation
When it comes to creating a better DevSecOps culture, security teams need to be able to deliver real fixes, since operations teams don’t have the bandwidth to chase every single vulnerability in the code, suggested Thomas Hatch, the CTO and co-founder of security firm SaltStack.
Instead, look to automation to help close the gap. This can help the dev teams ensure that security is considered right away.
“We are finally seeing a trend where developers are ensuring that deployed code and environments are secure on Day 0, rather than being dictated solely by the opportunity to deploy new apps,” Hatch said.
Trend 3: Expanded Attack Surface
While CI/CD is evolving to meet the need for more and more cloud-native software development, including container orchestration, many of the default settings in applications require additional hardening to ensure security, said Jack Mannino, the CEO of nVisium, a company that helps integrate security into the development process.
One reason why more people are paying attention to security issues such as server-side request forgeries, where an attacker tricks a server into accessing data it shouldn’t, is that the attack surface has increased. Developers need to rethink the relationships between different components and how they “talk” to one another.
It’s one reason why businesses should not only incorporate DevSecOps into their planning, but also test applications from many different perspectives for flaws.
“It is important that we perform security testing, during development and in production, from different angles to ensure we’re exercising as many code paths as possible,” Mannino said.