Prioritize Security Without Slowing Down
In 2017, cyberattacks caused $5 billion worth of damages. As a result, organizations have invested heavily: Gartner forecasted worldwide enterprise security spending would reach $96.3 billion in 2018. Despite significant investments, resources remain short and attacks still happen. Skills shortages, technical complexity and need for automation remain major roadblocks.
Meanwhile, business demand for faster deployments has challenged application security. The traditional approach to implementing security at the end of the software development life cycle (SDLC) results in large batches of code review altogether, long after a developer committed the code. This approach halts progress at the very end of the process when changes are costly and time-consuming. Jay Lyman, a principal analyst at 451 Research, concludes, “In many cases, security testing is not being integrated often or early enough in the process for organizations to fully benefit from reduced risk and rework headaches.”
Related Article: 5 Content Marketing Tips To Help You Connect With Your Audience
DevSecOps changes that by embedding automated security testing throughout the SDLC, embracing the “everyone is responsible for security” manifesto by integrating it into the developer’s workflow.
A Faster, Safer Security Paradigm
A new paradigm is necessary that can support the fast, iterative value creation processes of DevOps. Security testing must be seamlessly integrated and automated within the DevOps SLDC. Frequent, incremental scans inform developers immediately of security flaws they create.
This is accomplished via automated security checks, built into the continuous integration and delivery (CI/CD) process in order to test committed code. There’s a single source of truth, promoting collaboration between developers and security experts. Developers are empowered to identify and remediate issues within their workflow, and security teams have a dashboard for easy monitoring and remediation.
Gates Are Not The Solution
Traditionally, enterprises have relied upon gates throughout the deployment process to prevent bad code from going to production. However, code can also become vulnerable after it’s been deployed to production due to new exploits and unapplied security patches. Traditional pre-production application security scans will miss these vulnerabilities while security gates can hinder the fix for a non-security issue and slow the process. Additionally, gates amplify the negative consequences of false positives. According to a Sonotype DevSecOps survey, “The noise of false positives can drown out the benefits of security scanning.” Knowing this, developers will not implement the gates and find ways to work around them or remove them.
Instead of gates, reporting is needed to show what in production is vulnerable and the effect of the proposed change to the production environment. This allows security experts to oversee applications and flag abnormalities. Ideally, security checkpoints should not automatically block (or “gate”) a pipeline or automatically prevent a new version from being released to production.
Automation Is Key
Automation is critical to faster security. Tasking computers with tedious, repetitive work results in a faster mean time to resolution and frees skilled professionals for more value-added work.
While this requires systems to be tightly integrated, computer monitoring of production environments enables auto-revert and auto-remediate capabilities. With auto-revert, computers can automatically roll back changes that had a negative effect on production faster and more reliably than a human can. With auto-remediate, a computer can detect vulnerabilities and automatically fix them. With automation in place, security practitioners are left with only the most complex issues to investigate.
A few key alternatives to automation include manual penetration testing, training developers on safe coding practices and using a web application firewall to protect vulnerabilities in applications already in production. However, these methods can be slow, expensive and do not scale well. As such, it is imperative that a mix of automation and other methods are involved.
Most Productive Roles For Security Pros
With automation taking over some of the functions of security professionals, they are free to focus only on the tasks that will be most valuable to the team. To prioritize security, employee time is most valuable spent shifting left — scanning code before committing, utilizing bug bounty programs and testing the effectiveness of security programs.
Ensuring all of these tasks are handled, both proactively and reactively, is the most effective way for security teams to mitigate vulnerabilities, as it’s impossible for automated scanners to catch 100% of vulnerabilities.
Bringing Every Asset To the Table
In DevOps, prioritizing security means making it everyone’s responsibility. Developers are responsible for potential faults in their code and implementing real-time feedback to correct it. Application security engineers are looped in proactively to review security architecture and processes. Security teams are vigilant as security is shifted left, squashing potential issues before they fester, and handle any reactive measures.
All team members are essential to maintaining the highest standard of security. In this new security paradigm, every bit of code gets tested upon commit, software can remediate itself and security experts can focus on what they do best: identifying threats and reducing risk.
January 8, 2020
December 10, 2019
December 4, 2019