Scaling Software Security: The advantages of DevSecOps and mastering the keys to success.

Last month, I spent an entire day immersed in the talks of some fantastic speakers at DevSecOps (part of CISO Melbourne brought together by the awesome Michelle Ribeiro and the team at Corinium).

As a speaker on the end of day wrap up panel with Carl Michael and Andrew Horton, my focus was to absorb the day and share the key insights.?

I really appreciated this opportunity to fully commit myself to a day of gaining some new insights from the world of DevSecOps and wanted to share these with my LinkedIn community, in case any of this is helpful to you.

This article will cover observations from the day on:

• The challenges with securing software
• What DevSecOps is and the advantages of it
• Some keys to success with implementing DevSecOps
• Tips and useful resources I picked up before, during & after the event.

To learn more about the excellent speakers I listened to on the day, here is the agenda

The Challenges

During many of the talks during the day, we heard about the challenges faced when it comes to securing software.?These challenges broadly fell into 4 categories.

1. We are not securing software holistically.

As well as scanning code, we need to take steps to secure the entire software development lifecycle, including the pipeline (we had a reminder of the Solar Winds attack and the impact of pipeline poisoning).

However, not all organisations are doing this well - backing up this point, research has found that 88% of orgs acknowledged more could be done to secure their modern applications across the entire software lifecycle.

2. The challenge with scaling software security

Consider this - according to Github estimates, there is currently 1 Cybersecurity professional to every 500 developers.

Research cited in a recent zdnet article found that 81% of orgs said insufficient software security skills and resources was proving a challenge for their organization.

3. Code and attack surfaces keep expanding (and vulnerabilities along with this)

The amount of software code continues to expand - the State of the Developer Nation Report states that there are?24.3 million software developers?around the world – that′s 20% more than in 2020. The report predicts that by 2030, there will be 45 million active software developers. It is estimated that software engineers may produce about 93 Billion Lines of Code a year.

We also know that our attack surface has increased with the move to cloud and the ongoing expansion of the Internet of Things (IOT), making it hard to keep up and close all the gaps in our software ‘attack surface’.

According to Rezillion most organisations have 100k software vulnerabilities in their backlog.

4.??????Security is seen as a blocker

There is still more work to do to build positive relationships between security and development teams - with Dynatrace research finding 49% of devs see security as blocker to innovation.

This could be to do with that fact that some organisations are still doing security too late in the software development lifecycle - ultimately making security more costly and time consuming to do and may also slow down delivery of new features.?

So what is DevSecOps?

Many of my security peers would be familiar with the concept of DevSecOps – indeed we heard at the conference that 56% of organisations are using DevOps or DevSecOps practices.

However, for those less familiar here is a quick recap:

DevOps is the practice of close collaboration between development and operations where everyone becomes accountable for outages, even if they don’t manage the infrastructure.

With DevSecOps, everyone becomes accountable for vulnerabilities, even if they didn’t write the software. Just like the business goal of DevOps is fewer outages, the business goal of DevSecOps is no data loss.

The Advantages of DevSecOps

Throughout the day, we heard from experts about the advantages of using DevSecOps as an approach to securing applications.?Broadly these advantages fell into 3 buckets:

1. Reduced cost AND ability to deliver new features faster

• Less time and effort spent fixing security issues later in the process.
• Security is embedded everywhere in the process.
• Vulnerabilities are remediated faster, meaning features can be delivered faster.

2. Shared goals and responsibility

Dev, Security and Operational teams work together towards the same outcome.

3. Security is part of the team

• Helps to enable non-security members of the team with knowledge of security and to make security part of everyone’s role
• This in turn helps to scale your software security

The Keys to Success with DevSecOps

1.??The Right Culture

The importance of a good culture was a consistent thread throughout all of the talks.?As with other elements of security, it makes sense to focus most of our efforts on people, with process and tech/tools playing a supporting role.??

Tips for accelerating the journey

• Ensure you have that top-down support and emphasise the business benefits.
• Work closely together as a team – we know that by working on projects can foster a sense of partnership and understanding.
• Empowerment through training and enablement
• Context is key – ensure you are taking a risk (not issue) based approach when speaking with stakeholders.

2.??Ruthless prioritisation and ongoing tuning

• Undertake threat modelling – this will enable informed decision making about application security risks
• Eliminate false positives first
• Patch what matters - research by Rezellion backs this up - only a small percentage (about 15%) of discovered vulnerabilities are actually loaded into memory and therefore exploitable. In other words, only 15% or so of security bugs actually need to be a high priority for patching.
• Look to automate the boring stuff and avoid burning out teams with too many manual tasks
• Focus on the value stream, enabling you to measure and manage the business value of your DevSecOps lifecycle (link below to more details on the value stream).

3.?Context is key

Context is the circumstances that form the setting for an event, statement, or idea, and in terms of which it can be fully understood (Oxford Dictionary definition).

With an overwhelming amount of data available, it is critical to build context around that data.?Some tips from the speakers included

• Understanding what matters to the business
• Ensure that you focus on risks not issues
• Focus on business-critical applications first

I really like the analogy used in a recent Security Week article – data is the information presented regarding symptoms when a patient visits the emergency room, context is the patients past medical history and the medical team taking that into account when prescribing and prioritising treatments.?

Taking this analogy and applying it to software security – data is the information presented on software vulnerabilities, context is the historical attack patterns, the system and network config & vulnerabilities of the ecosystem the software is part of, the compensating controls and the current threat intelligence on how and how often that vulnerability is being exploited, so that we can really ensure DevSecOps teams know where they should be focusing their efforts when it comes to security.

Next steps

Lastly, I wanted to leave you with some great tips and suggestions from the excellent speakers on DevSecOps and beyond, for my fellow security leaders:

1.??????If you are doing DevSecOps or DevOps today, consider benchmarking your maturity to understand where to go next.?Snyk offered a good option that was showcased on the day, with tangible actionable next steps based on your current maturity.

2.??????Adding security steps to development teams procedures was a hot tip from one of the presenters, in terms of ensuring a step gets done.?Along the same vein, a tip I would also add that I’ve heard since attending DevSecOps is to talk bugs not vulnerabilities.

3.??????With 45% of businesses seeing hybrid/multicloud as critical to their business strategy, ensure you Review IR for your cloud environments – sometimes gathering actionable data from the cloud environment (due to the shared responsibility model) can be a challenge.?Ensuring you break down barriers by up front engagement of stakeholder collaboration BEFORE an incident, helps to ensure a unified incident management process.

4.??????To the last point above on how context is important to ensure DevSecOps is successful, this is equally applicable in all aspects of cybersecurity – this will help with the ‘Why’, something we know is a key step we must start with, when it comes to cybersecurity actions, we need our business stakeholders to take.

Thank you for taking the time to read my article – I’d love to hear your ideas.?What are your keys to success when it comes to DevSecOps? Why aren't more organisations adopting DevSecOps?

Links to research referenced in this article:

Other helpful resources I came across in preparing for the conference:

• Tanya Janca ‘shifting security everywhere’ at OWASP 2023 Global AppSec conference (Dublin Ireland Feb 13-16)

• Tanya Janca ‘DevSecOps worst practices’ at RSA Conference 2022

Disclaimer: views expressed in this article are my own and do not necessarily represent the views of my current employer.??