Security Experts:

Embracing the Cultural Shift that Comes with Secure DevOps

Previously, I’ve written about bridging the cybersecurity knowledge gap in the boardroom. There’s another area where we need to bridge a cybersecurity gap and that’s in the software development lifecycle.

As organizations strive to innovate quickly and be more agile, development teams are driven to deliver code faster and with more stability. Enter DevOps, which Gartner characterizes as the rapid and agile iteration from development into operations, with continuous monitoring and analytics at the core. DevOps has quickly taken hold and, according to the RightScale 2017 State of the Cloud Report, overall adoption has reached 78 percent and 84 percent among enterprises.  

DevOpsUnlike traditional development processes where code is developed and turned over to another team for testing, often going through multiple iterations before being approved for configuration and deployment, DevOps uses automation and encourages collaboration to streamline an often long, cumbersome process. In so doing, it introduces a cultural shift where operations, development, and IT teams all have a seat at the table throughout the development cycle. But what about security? 

In a DevOps model, developers use automation to test, configure, and deploy their own code quickly. Organizations are beginning to layer in security automation to add controls that help address legal and regulatory compliance requirements and manage risk. While this is a great start, we need to do more than “check the security box” with a few bolted-on tools. Security also needs a seat at the table to integrate ongoing compliance and risk mitigation given the increasingly complex and dynamic threat landscape. This introduces another dimension to the cultural shift required for DevOps success. To help ease this shift, here are five things you should think about as you incorporate security into your DevOps program. 

1. Get security involved early in the development lifecycle. Threat modeling should start at the initial stages, when requirement gathering and design begins. With early visibility, you can avoid systemic issues and take a more proactive approach to safeguard valuable data and systems to address compliance requirements. Wait too long to consider security and you’ll incur costs and waste precious time retooling to retrofit controls and responding to events. 

2. Incorporate security often in the development process. This is where automation comes in, allowing you to bake security into DevOps. Furthermore, when security professionals are part of the team, they can provide expertise on when and how to best apply automation in a way that is seamless throughout the cycle – sometimes with out-of-the-box solutions and other times with surgically crafted security tools. 

3. Consider where you can defer risk. In the same RightScale report, 80% of respondents were found to be cloud users, with 89% using public clouds. Whether you’re deploying on Amazon Web Services (AWS) or on virtual machines in a public cloud, by thinking through your threat model you can determine when it is appropriate to defer risk to other entities (transferring some security assurance responsibility to them) and when to absorb it yourself. To do this effectively, you’ll need a comprehensive third-party risk management program which includes a solid understanding of your cloud provider’s shared responsibility model.

4. Map responsibility to the role. To date, most DevOps programs put the onus on developers to address security; their roles have been expanded to include the responsibility of using automated security controls to inject security into the development process. Giving security a seat at the table doesn’t replace these efforts, but complements them. For example, experts in application security understand coding and how an application is built, allowing them to construct threat models and determine how code could be broken. Infrastructure security professionals excel in the areas of vulnerability scanning, network penetration testing, configuration review, and the use of segmentation to strengthen defenses. Incident response experts can help identify ways to efficiently and effectively mitigate risk when a breach does happen. Successful DevOps programs make everyone responsible for security and compliance with clear roles mapped to expertise and workflow. Moreover, leveraging pre-existing expertise increases business efficiency.

5. Know when to rely on automation and when to involve a human. While automation has done a lot to add security to the DevOps process, there can be a misconception that automation alone will suffice. But consider the case of continuous vulnerability scanning. Developers should rely on an automated tool for this control. However, when a vulnerability is discovered you still need an expert to analyze scan data and make decisions. Or consider a “by design” vulnerability. In this scenario the code is tested, deemed secure, and deployed, but because it is difficult to detect design vulnerabilities through code testing, the vulnerability enters the production environment. By reviewing the business logic and thinking like an attacker, a security professional can identify security issues – such as the ability to abuse a file upload function, or look up users’ information that could help to create a logical password to bypass authentication – and recommend fixes. 

With the rapid and widespread adoption of DevOps, it’s clear that the discipline has done a lot to help organizations meet their goals for innovation and agility. But as regulatory requirements and cyber risk continue to mount, security must be included within the software development lifecycle to ensure ongoing success. By understanding and easing the cultural shift this entails, you can save time and money and sleep better at night with security occupying a seat at the DevOps table.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.