DevSecOps Deep Dive Part One
In this deeper-dive series, we will more closely examine the practicalities and challenges of each of Gartner’s suggested steps for DevSecOps adoption.
We recently examined DevSecOps in broad overview as it applies to the current app-security landscape. Part One looks at restructuring the design and development process to integrate security.
Why Sec needs to be added to DevOps
While DevOps emphasizes integration and co-operation between formerly divided departments, it must still recognize the distinction between development and operations. In DevOps, development has a deeper meaning than just crafting, coding and building the intended product; it begins with the basic conception of the product and designing the infrastructure of its production. Ilia Kolochenko, CEO of High-Tech Bridge, explains why this necessarily connects to security:
“Application security starts with secure and clear design of the application and related components. Before starting development, you need to plan how to handle security, reliability, compliance requirements (if any) and data encryption. Otherwise, any substantial corrections at later stages can easily get extremely expensive.”
Without the inclusion of Security in the development phase, security automatically becomes an afterthought added at or after the operations phase. This is rarely cost-efficient or cost-effective. Indeed, data protection legislation, such as GDPR, is increasingly requiring that new products are ‘secure by design’.
What is required to integrate security into development?
Gartner’s first recommendation to achieve the strongest organizational security is to re-work the software development life-cycle (the SDLC), beginning with how applications are architected and developed. The vital facets of the “DevSec” part of DevSecOps are as follows:
With any cloud-based product or service, scalability is an important feature. As the number of users grows or contracts, demands on the backend change correspondingly. With more users, more servers are needed, so infrastructure needs to be architected into the SDLC to add servers without disrupting the app’s operational state or compromising security. This also applies to where and how data is stored; Infrastructure as a Service (IaaS) can be leveraged to better adapt to the security needs of any stored data.
Microservices are gaining more and more attention; a microservice model compartmentalizes each facet of the product rather than having a single, all-encompassing release schedule. This is a boon for scalability, but also for security; it decreases the amount of damage an attacker can do, while making it easier for Security to respond quickly and fix the vulnerability. A microservice-based model with strong security protocols should be seriously considered for DevSecOps.
48% of enterprises will have implemented microservices or containers by the end of 2018
Containers provide a similar function to microservices. According to 451 Research in 2107, 45% of enterprises already have, or intend to implement, one or the other over the next 12 months.
Security by Design
The security team should be brought in and allowed to contribute to the design, intended function and desired mode of operation of the product. This is not just to incorporate security features from the ground up; it will also give Security more intimate knowledge of the application’s fundamental structure. Anything that reduces guesswork and eliminates obstacles to quick-turnaround security patching benefits both application security and the integral functionality of the app.
A DevOps workflow will already have the framework for continuous functionality testing in place. DevSecOps needs to incorporate security into the continuous testing; the principle of ‘fail fast’ will allow the development team to implement adaptive, incremental updates. Security issues should be tested for with equal priority to the core functionality of the product, and indeed treated as a necessary feature. Automation should be put in place whenever possible.
The challenges presented by the need for DevSecOps
A thorough and detailed inventory needs to be kept of all applications and components. This applies not only to the product, but to the development pipeline as well. In the current landscape, end products and production environments are assembled more than they are developed, with 96% of applications found to use open source components in 2017.
96% of applications use third-party, open-source components.
Cyber-attacks have traditionally targeted the product or runtime; they have been more of a direct issue for Operations than they have for Development. With DevSecOps spreading the responsibility for security more evenly and holistically through the SDLC, we can expect attackers to start targeting Development more often. Organizations will need to pay as much attention to internal security as external; this includes all components used, the services and code used for automation in the development pipeline and the organization’s programmable infrastructure. A breach in the development cycle will become as significant as – and lead to – a breach in the overall product.
A ground-up restructuring of this nature is no simple task, and may be especially off-putting to organizations which have been slow to respond to DevOps in general. However, DevSecOps’ long-term benefits cannot be ignored, and the challenges presented are well worth meeting.
Why must security be integrated into Development?
In the long run, these challenges will lead to better overall organization security. With continuous security testing during the development cycle, zero-day exploits will become less frequent. Even when they do happen, the scalable, microservice-based infrastructure will minimize any damage from them. The security team will be able to respond to issues that do occur quickly and effectively, with infrastructure in place to roll out targeted security fixes without disrupting the user experience.
According to the 2018 DORA State of DevOps report, the highest-performing DevOps teams are able to respond to emerging issues within hours, while a further 48% can deploy a fix in under a week. By implication, if DevSecOps can respond to security threats with similar speed, there is a much greater likelihood that the team can remain ahead of adversaries during development, while producing a product that is secure by design.
55% of DevOps adopters can deploy fixes for issues in under 7 days.
Compliance is a prominent benefit of DevSecOps. The GDPR (Article 25) demands data protection by design, and penalties are often decided by the factor of “could more have been done?” to prevent breaches and protect data. Security by design is innate to the DevSecOps workflow, and being able to show that damage minimization, fast security response and secure data storage are all integral to the SDLC will be heavily favored by regulators.
Six of the current OWASP top ten application security threats are either explicitly based in Development or can be mitigated by stronger security earlier in the development cycle. Using components with known vulnerabilities (A9), security misconfiguration (A6), insecure deserialization (A8), broken access control (A5) and XML external entities (A4) can all be prevented by incorporating security into development. A10, insufficient logging and monitoring, is naturally solved by properly implemented DevSecOps.
DevSecOps will be integrated into 80% of rapid development teams by 2021.
Gartner predicts that DevSecOps will be integrated into 80% of rapid development teams by 2021. It’s important to lay the framework for DevSecOps adoption as soon as possible in order to remain competitive with the industry.
However, business leaders are still dragging their feet. A 2018 survey by Threat Stack reported that 52% of companies admit to cutting back on security measures to meet a business deadline or objective. “Since the directive for speed starts at the very top,” says the report, “it's hard to ignore; even if it means that security becomes roadkill in the process.”
Immuniweb in DevSecOps
We’ve seen that even in the earliest phases of development, application discovery and continuous, automated testing are key features of a strong DevSecOps implementation. High-Tech Bridge’s Immuniweb platform offers intelligent discovery, continuous application testing and more, all easily integrated into any workflow, letting Development and Security work together with all the information they need.