Introduction to DevSecOps
Ask any cyber security expert about the current threat landscape and you will find a similar statement in their answers i.e. number of threats have increased exponentially. It is expected that by 2021, cybercrime damages will cost $6 trillion. Along similar lines, the Ponemon Institute has found the average cost of a data breach to companies worldwide is $3.86 million while in the case of US-based companies, this figure stands at $7.91 million. Even worse, it takes an average of 196 days for a company to identify a data breach.
The digital medium is preferred for almost everything. This creates a juxtaposition between cybersecurity and the high-speed development process required by today’s extremely competitive marketplace. On one hand, security and privacy are often considered as after-developmental activities or even worse – ignored altogether. For example, TalkTalk was fined a total of £400,000 after an attacker stole personal data of more than 150,000 customers. On the other hand, the software development mechanism of a business must be agile and innovative in order to survive.
Obviously, decision-makers need to understand that when an organization suffers a data breach, the losses incurred are not limited only to their damages include data theft, reputational loss, legal fees, exposing IPR/confidential data and trade secrets plus incurring regulatory fines, etc. Their customers are damaged while the attackers violate their privacy, carry out targeted phishing attacks, and identity theft among many other cyber crimes.
Security and privacy principles are often taken into consideration after a software or an application has been deployed or about to be deployed i.e. at the last stage of the software development life cycle. As a traditional practice, a specific team like an internal security team was given the responsibility to look after the software’s security after development or deployment.
DevOps generally ensures rapid development cycles to expedite product delivery. DevSecOps, a relatively new concept, includes the security perspective by making it a shared responsibility of the entire development team. It precisely solves the juxtaposition between security and rapid development by:
- Fixing security flaws upon discovery during the development life cycle
- Reducing costs and manpower required to fix security flaws after development
- Writing codes while keeping security in mind throughout the life cycle
Why is DevSecOps relevant?
In the last decade or so, a CISO/CIO having a seat on the Board has influenced the decision-making process for allocation of appropriate funds for an organization’s security. However, lack of talent in the cyber security domain is an industry crisis which is not hidden from anyone. Accordingly, the desired speed at which business operations should be performed is not achieved.
With the increasing demand for DevOps, public cloud services, and agile development processes, traditional security processes have significantly hindered the development lifecycle. And hence, they are often bypassed altogether. Traditional security processes are performed from a point that defects in a system can be found before its release by the internal security team. At times, major security flaws are discovered which in turn eventually lengthen the overall development process and negate the concept of DevOps.
Hence, it is safe to state that this viewpoint is inherently problematic because it increases the friction between security objectives and business goals. Moreover, after the development process has been completed, the security team may or may not have all the information they need. Now, with the introduction of DevSecOps, neither the business operators nor the security team needs to abandon the associated risks. They can complement each other in a way that the security team assists the business operators with appropriate security tools and technologies while the business operators familiarize the security team with business goals and objectives.
Benefits of DevSecOps
Just like every other security-related activity, three components play a vital role in DevSecOps – people, process, and technology
Irrespective of technical advancements, humans will continue to be the weakest factor in the cyber security ecosystem. To implement DevSecOps, the human factor is the starting point where the development team should be integrated with the security team or vice versa i.e. exclusive to inclusive. Along with implementing the agile development methodology, security experts must be heard and their views should be incorporated during the process.
Within an organization, every team has its own set of processes. For example, the security team will have a clearly defined process for an incident response while the finance team will have a properly defined process for allocating budgets for buying new tools and technologies. So often, these processes remain in silos and are not interconnected to each other. DevSecOps aims to increase cooperation and achieve the highest possible level of security by aligning the following essential policies:
- Metadata and version control systems (VCS)
- Security tools and access control
- Regulatory compliance
- Incident response and management
- Threat intelligence and vulnerability management
- Bug Bounties
- Using security tools in continuous integration, continuous delivery (CI/CD)
In order to execute these processes to implement DevSecOps, appropriate technologies are required. Following technologies are necessarily required:
- Automation & Configuration Management
- Secure Coding Practices
- Auditing and scanning at application-level
- Automated vulnerability assessment and penetration testing (VAPT) tools
- Automated scans for compliance
- Host Hardening
- Patching at CI/CD level
We will be exploring these best practices in an upcoming article.
Unlike traditional security activities, DevSecOps integrates automated security activities designed to minimize the disruption or disturbance to operations and keep up the pace with innovation. The concept of DevSecOps shifts the focus from reactive to proactive. By implementing security measures early and often, the organization’s overall value increases. When DevOps evolves into DevSecOps, everyone benefits.
Penetration Testing for ISO 27001 Control A.12.6.110 Sep, 2019