The methods we use to develop software have gone through radical transformations over the last five years. ‘Slow and steady’ has evolved into quick and agile methodologies like DevOps.
Based on disrupting the silos between Developers and Operations, DevOps embraces the idea of a shared culture of trust, collaboration and automation. By creating cross-functional teams, organizations have reported numerous benefits, not least of which is from a major increase in communication and reliance between teams, which share responsibility for on-time deploys, uptime and downtime.
And it’s taking over the world.
A recent CA study found that 88% of the 1,500 organizations surveyed have either adopted or were planning to adopt a DevOps approach in the next five years. The DevOps revolution is already underway.
But…DevOps methodologies are missing a vital component in many organizations. The explosion of the cloud and SaaS platforms have presented unprecedented challenges for security. In that same CA study from above, for example, participants reported that the largest concern of adopting DevOps (28% of respondents) are worries surrounding security and compliance.
But don’t panic just yet. If Developers and IT pros can come together for the greater good, security can also be a part of that union. DevOps actually presents a fantastic opportunity for enabling security to be integrated easier and automatically throughout the Software Development Lifecycle (SDLC).
Security and DevOps: Lean In
If your organization is considering or has adopted DevOps, it’s time to fully embrace DevOps and Security, practicing it in the way that works best for your organization: DevOpsSec, SecDevOps, or DevSecOps.
We had the chance to speak with Shannon Lietz, a co-founder of the DevSecOps.org site and Senior Manager of Cloud Security Engineering at Intuit. She’s been a DevSecOps proponent “without the label for well over 15 years,” she told us, and does her part to make security better “by helping non-security professionals make informed risk decisions.”
Shannon said that the idea that any security team has the information necessary to do all the decision-making is “mythical and far-fetched at best.” “DevSecOps,” Shannon said, “brings the best of all possible mindsets, frameworks and processes together to create a cooperative environment with the common goal of defeating attackers.”
The most important thing is that if your organization has embraced or is planning to adopt DevOps, it’s up to you to make sure security is well-integrated throughout it. With such a huge percentage of organizations adopting DevOps, there is no way to survive with traditional security.
Read more about Achieving Security in DevOps in our AppSec How-To
You’ll most likely face the biggest barriers to adoption is going to be getting started. With the historical divides between developers, QA and security in the vast majority of organizations, you will most likely face defiance from the start.
At the rate of DevOps adoption (and success), you’re going to have to put those battles to ease. If you want security to succeed as well, it’s imperative you lower the attack surface at any possible point and make doing so as simple as possible for non-security people.
Begin – if you haven’t already – by opening up channels of communication with leaders on every team, from development to QA to IT to the board. Listen to their pain points in general and where it comes to your security implementations and then begin planning which areas need your most immediate attention. Learn which automation tools are already in use and do your research on what similar companies are doing in the face of the DevOps revolution.
Development, Operations and Security are all intertwined and critical to smooth business operations. By opening up with other departments and identifying the “security champions,” the people that are most invested and interested in security, you’re setting the stage for the sort of cooperation that’s essential to integrating security within DevOps.
Traditional security tools and processes that aren’t built simply or to scale well will have an impossible time in a DevOps ecosystem. ‘Bad guys’ have been using automation for years already to look for weak passwords, exploiting SQL injection flaws and causing mass havoc with DDOS attacks hitting 30 million packets per second.
“The only realistic way of maintaining security in an environment that grows so rapidly and changes so quickly is to make it automation first,” Jason Chan, Netflix’s Director of Engineering recently told the Wall Street Journal.
Bringing together security and DevOps requires that the same automated testing done for QA and before production should be integrated throughout the Software Development LifeCycle (SDLC).
The automation available through well-configured source code analysis (SCA) tools are perfect for the fast pace world of DevOps. In CICD environments, there is a very small margin of time for manual testing, which can take weeks to get back results that then can have little chance of getting fixed.
With your SCA tool integrated into your build automation tool, you can seamlessly have code scanned automatically after every commit, or if necessary, during lunch breaks or overnight for full scans. And when you’ve integrated your static analysis tool to present its findings in the build management systems already in place, developers can immediately fix code with issues.
For smooth remediation, it’s also a good idea to adopt a tool offering remediation guidance, which Shannon pinpointed as a way to “see an immediate reduction in the number of security related defects.”
Treating security as code fits in perfectly with the DevOps approach. It’s echoes the idea of “infrastructure as code,” a major component of DevOps, which “focuses on customer demand, iteration, speed and scale,” Shannon said.
In order to make security able to integrate into DevOps, security needs to be coded into the existing tools and processes. Those legacy procedures that have been stuck in Word docs for ten plus years? In the “Security as Code” ideology, those documents need to be turned into a set of scripts, Shannon suggested. It’s time to make security built to scale and designed to be predictable.
Coding security into the SDLC allows the security team to better arm the developers and operations team, supporting their decisions process and allowing those teams to continue their builds without checking off arbitrary boxes or waiting days to receive scan results.
Even better, developers are also given a chance to contribute code back to the security team, “so that security rules and logic can be integrated in a full stack that represents a go-to market product,” Shannon said.
With your security policies coded into templates and configuration scripts, you’re ensuring consistent code before each deployment. And by automating your program wherever possible, you’re taking the burden off of all teams involved in building and deploying.
Watch our webinar 10 Steps to Agile Development without Compromising Security to see how LivePerson uses APIs and automated source code analysis to enforce security protocols.
Save the human element for where it is best served: Building bridges between the Operations, Developers and Security teams.
Success in securing DevOps requires leveraging the skill sets and knowledge of each of the teams. It’s the only way security responsibilities can be distributed to the most logical team for the job.
“The best organizations tend to establish a Red team with a hunting approach and drop security gates/approvals in order to set the stage that security is everyone’s responsibility,” Shannon told us. Security teams should engage in stand up meetings, and invite developers to OWASP meetings and in-house security discussions.
Another way organizations have done this is embedding security staff within the devs and ops teams. However you go about it, the idea is to create a lasting partnership. Instead of being gatekeepers, learn to be mentors, facilitating a deeper sense of responsibility.
By breaking down those walls, the scope of security can be better distributed throughout the teams. In turn, it allows for a more shared, vested interest in improving security through each part of the SDLC.
The kind of collaboration necessitated by DevOps requires each team to have an in-depth understanding of what the other teams are doing. You have to get each team to understand that with all the benefits of DevOps ecosystems comes a new array of threats and security risks. And YOU yourselves must understand why DevOps is doing what it’s doing, so that together you can decide how to best secure the business.
Once the silos between Developers, Operations and Security have been shattered and good relationships have been established you’re already starting to disrupt whatever tensions there were before. It opens up for a shift towards a culture of tolerance and understanding, along with the opportunity for heightened security awareness.
“Security awareness is critical in the evolution of DevOps adoption of the DevSecOps approach,” Shannon said. But without making it engaging, you’re already losing. “Make [learning security] fast and fun and DevOps will show up,” she added. Ideas include gamification and giving “grades.” Internal Capture the Flags (CTFs) competitions and Bug Bounties have triumphed in many organizations. Parallel to having fun with security awareness is finding ways to teach developers about fundamental secure coding principles.
Using FUD (Fear, Uncertainty and Doubt) as a tactic to get Ops and Devs involved with security will not go over well. What is required of security teams, Shannon told us, is to evolve into scientists and engineers. This includes arming each team with security insights using security science, which the DevSecOps site describes as “the use of data analysis and scientific rigor to provide insights to help steer security decisions to a logical fruition.”
In short, it’s about figuring out what’s working and what’s not working and helping teams make better decisions when it comes to security. Enabling your team to learn from your mistakes and improve in the future allows the whole organization to maintain accuracy while working faster – and more importantly, working smarter.
DevOps is all about speed and scale, and when security doesn’t fit into that mold, it’s going to be tossed aside, no questions asked. Traditional security hasn’t been working for a while – it’s time to embrace new methods and try new tactics.
Embracing the DevOps revolution means not only finding ways to bake security in where it can’t be ignored, but also proving security’s value throughout the organization. Because at the end of the day, everybody’s goal is the success of the organization, it’s just been difficult, in the past, to see the full picture. With DevOps, transparency is key, and security must get on board with that.
Like in most areas of security, we’re all on a maturity curve. Everyone is at a different place and going at a different pace. The important thing is that we’re all leaning in and learning to embrace whatever transitions we’re moving towards.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.