The threat of breaches is top-of-mind for many DevOps teams, and while security continues to shift left it appears to be a driving force for many decision-makers when it comes to choosing a DevOps platform or other technologies.
These were among the results of a GitLabs survey that also found getting security right is the number one challenge for DevOps teams.
Getting it Right
Among the top reasons respondents said they chose DevOps were better code quality, developer productivity and operational efficiency—cited by 37% of survey takers, followed very closely by better security/more secure applications.
The survey also revealed that 53% of developers said they are fully responsible for security in their organizations, a 14% jump from 2021.
Michelle McLean, vice president at Salt Security, said it is risky for organizations to depend on development teams alone for security.
“Security and developer teams need to collaborate and work together–at every point in the application life cycle–not just development,” she explained.
For example, security teams must bring runtime insights back to development so they can be applied for education and training.
“It’s fundamentally important to choose a DevOps platform that either has security capabilities built-in or that can easily integrate with security platforms to facilitate collaboration by security and DevOps teams,” she said. “Otherwise, organizations run the risk of pushing out unsecured software or introducing other risks into the software supply chain.”
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, added that an obsolete mantra in the cloud-native community held that security wasn’t a high priority as proper DevOps workflows meant that incremental changes were small and easily deployed.
He said the Log4j and Log4Shell experiences called that philosophy into question with a recognition that security issues can, and do, occur out-of-band from a release or feature and that continuous monitoring for external threats is part of a properly functioning security process.
“By implementing monitoring for new threats, regardless of source or nature, the ability for cloud-native development to quickly issue tested patches becomes itself a security feature,” he explained.
Understanding the Pipeline
McLean pointed out that while there is a growing understanding of security in the pipeline with DevSecOps, it’s not enough.
“This is particularly true, for example, in the case of APIs. Because APIs aren’t just straight code, you must see them being exercised to spot logic flaws,” she said. “You need the ability to monitor them in runtime in order to spot anomalies and find areas where APIs might be exposing critical data. Although developers write APIs, their testing often falls short for security.”
To accurately see what’s going on with APIs, developers need to exercise the API–even in pre-production.
McLean said this is an area where security and development collaboration and integration is essential–APIs underpin a significant portion of the modern economy and the disconnect between security and development teams can have a direct economic impact.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, added there has always been a delay between the release of new platforms and the awareness that security capabilities for those platforms need to be implemented.
“With cloud-native and serverless technologies, that delay is as short as I remember in my career,” he said. “I greatly prefer the world where everyone at least understands the need for security instead of having to spend time getting buy-in that it matters in the first place.”
He said if you can manage and implement security in a seamless and efficient way early in the development process, it is far easier and cheaper to address issues than addressing them after code has already shipped—and that’s without adding in breach or liability costs.
“You can either fix it in dev or in prod, but you’re going to have to fix it sooner or later,” he said.
McLean noted many organizations are still maturing in their DevOps practices, not to mention their DevSecOps initiatives.
From her perspective, educating developers as to what is expected of them from a security perspective before a line of code is written is key.
“To help increase compliance, we’ve begun to see organizations taking steps to introduce security tooling into their pipeline process and add testing into the build process,” she said.
Then they’ll add a step that triggers an alert for non-compliant builds but won’t prevent the build. Then they’ll add a step that mandates sign-off by the developer that they’ve seen the security alert for a non-compliant build but still won’t interrupt the build.
“In rare organizations with highly mature DevSecOps processes, they’ll fail the build for non-compliance,” she added.
McLean said organizations need to understand what’s realistic given their maturity and risk tolerance and implement controls that match.
They also need to reevaluate those controls to look for opportunities to increase adherence to security policies and other compliance regulations.
Overall, continuing to educate through compliance automation in the software development life cycle (in development, testing and deployment phases) further helps reinforce best practices while ensuring issues are uncovered before they become a risk or technical debt.
Mackey said because DevOps platforms touch the software powering your business, when choosing any DevOps platform, the security of the platform itself and the competencies it enables should always be must-haves.
“In effect, any decision about new software should be based on how it improves the current security capabilities of the business,” he said.