DevSecOps: When security keeps pace with the agility business needs
Diwakar Dayal
Cybersecurity Business & Technology Thought Leader | UC Berkeley - Haas School of Business | CISSP
DevOps and security teams have historically been known to work in silos until the end of the development process, resulting in friction between both teams. This is because security is often an afterthought in a race to roll out products and services to market, not leaving enough time to address the potential vulnerabilities that may arise.
The benefits of DevOps are undeniable - increased speed, rapid experimentation and continuous change are now guiding operating tenets to succeed in this competitive market. Unfortunately, cybersecurity has been largely absent in the DevOps conversation despite the growing risks and high-profile breaches over the past several years. This incongruence between DevOps and cybersecurity teams is a symptom of one of the longest standing disconnects in IT history. This includes the differing and often clashing cultural roots, vocabularies and processes of developers and cybersecurity professionals.
DevOps teams are used to working with agile and fast development cycles whereas security professionals are trained to focus on control and stability. To further complicate things, security tends to be brought into the picture at the final stages of the development cycle. To overcome challenges relating to speed, poor visibility, and limited resources, security teams must set their differences aside and collaborate with DevOps from the beginning of the development cycle, not the other way round.
Enter DevSecOps
Traditionally, security teams have a reputation of detecting vulnerabilities at the tail end of the development cycle which usually tarnishes the credibility of the product or service from a security perspective while often resulting in halting the speed-to-market strategy and hours of coding down the drain.
DevSecOps is the philosophy of integrating security practices within the DevOps process. Security leaders can change the ways of working by shifting left to include security processes earlier in the app development planning process. Focusing on ongoing problem prevention rather than late problem detection helps both teams work efficiently.
Understanding the role of containers
One way of making the shift to work seamlessly with DevOps team is to understand the role of containers in application development. Containers transform how software is packaged in order to dramatically accelerate and simplify application development and deployment while lowering operational costs, and increasing innovation. On the flipside, containers also create a major Cyber Exposure gap. Containers have short lifespans, making them difficult to detect using traditional scanning approaches. On top of that, they're hard to assess for security issues, and container remediation requires a different approach compared to traditional IT.
One key way for security leaders to work with DevOps is to integrate vulnerability assessment and remediation into what are known as Continuous Integration and Continuous Development (CI/CD) systems. This ensures that all new container images are tested for security issues during the quality assurance (QA) phase of the DevOps lifecycle, alongside other tests such as unit and integration testing. Building security into DevOps is a huge win for cybersecurity effectiveness.
Test and automate wherever possible
Many organizations with strong DevSecOps processes generate dozens if not hundreds of software updates daily. In these environments, relying on manual processes makes it tedious and even impossible for security to keep up. Instead, security tests should be triggered automatically with every build change or as new vulnerabilities are discovered. Automation compensates by ensuring that high levels of security exist across all areas of DevOps, not only as a seamless part of a developer’s integrated development environment (IDE), but also within the CI/CD toolchain.
Proactive prevention trumps last minute detection
When security is embedded from the inside out, it’s harder for nefarious actors to break in. Therefore, proactively addressing and remediating vulnerabilities early on in the development cycle saves time and money compared to remediating in production. It typically costs 2-3x more to remediate security defects after release compared to pre-release QA testing. The old adage is certainly true in security: An ounce of prevention is worth a pound of cure. And the collaboration between DevOps and security teams allows organizations to achieve agility without jeopardising security, stability and governance. This way everyone becomes part of security.
You can read the full article, originally published here - https://cio.economictimes.indiatimes.com/news/corporate-news/devsecops-aligning-conflicting-priorities-to-combine-forces/71964516