Security and Compliance in DevSecOps - Why DevSecOps matters
In the space of time it takes you to read this blog post and finish your morning coffee, a company at the vanguard of DevSecOps, such as Etsy, Amazon or Netflix, will have completed yet another deployment – one of potentially thousands per day[1]. Deployment frequency has accelerated to a pace that would have been unthinkable just six years ago, often at the cost of robust security assurance of the code under development. So, the natural question is how companies can effectively scale their security processes to keep pace with the velocity of development we see today? My experience has been that a focus on automation alone is insufficient, instead it takes a blend of automation, cultural change and integration of security processes throughout the development lifecycle to achieve effective layered security in such agile environments.
In my view, effective strategies for marrying security and DevOps are not yet being implemented broadly enough. A combination of budget constraints, a lack of awareness of security and governance best practices and reactive approaches to security are to blame. Technology and business leaders need to carefully assess what changes are necessary to effectively secure their software development lifecycles.
Effective DevSecOps demands that security practices be “shifted to the left” of the product development lifecycle and integrated into each stage of development to identify and address security issues earlier and more cost effectively than is possible with a traditional, more reactive security approach. This new proactive testing paradigm engages security at the outset of the development process, empowers developers with effective tools to identify and remediate security findings and ensures that only secure commits are ultimately pushed to the code repository.
Beyond these changes, the most effective DevSecOps organizations are capturing continuous feedback from production security tools (e.g. IDS/IPS and RASP) to keep rulesets and policies for application security testing tools up-to-date and relevant to the latest threats. In addition, leading organizations are using interactive developer tools to aid identification of issues by providing tailored training to help developers identify commonly missed issues. Finally, organizations that excel at DevSecOps ensure that they relate security issues to their business context, which showcases security as an enabler rather than an inhibitor of business expansion.
Another key aspect of DevSecOps is infrastructure. Increasingly, legacy, appliance-focused solutions are being supplanted by software-defined networking, hybrid cloud environments (a mix of on-premises, private cloud and third-party public cloud services with orchestration between all platforms) and network micro-segmentation (fine-grained security policies assigned to data center applications, down to the workload-level). This shift in the prevailing engineering paradigm demands that we should exercise zero trust inside or outside its perimeters, and instead verify any connection attempt before granting access. In addition, discovery, identity and access management and monitoring for perimeter assets becomes even more important with these changes.
The purpose of this post was to share emerging best practice in the DevSecOps domain and security strategies for increasingly rapid deployment cycles. In the next few blog posts, I will dig deeper into best practices for continuous integration and continuous delivery pipelines.
I’ll be publishing on DevSecOps weekly, so please follow my page if this post keeps your interest. Also, don’t hesitate to reach out if you’d like to engage with me directly for a dialogue around DevSecOps pain points and strategies (vendor pitches will not be entertained).
About Swapnil Deshmukh
Swapnil has more than a decade of experience in enterprise cybersecurity, including technical leadership positions in Fortune 500 financial services firms. He is a subject matter expert in the application, cloud and emerging technologies security domains. Swapnil is a co-author of the Hacking Exposed Series, a best practice security handbook, and a frequent contributor at security conferences, roundtables and publications. Swapnil earned his master’s from George Mason University and graduated from the University of Mumbai, with degrees in telecommunications and computer/network engineering, respectively.