From DevOps to DevSecOps: Tips for building the right cybersecurity tools and mindset into DevOps
In a previous article, my colleague J.R. Jesson addressed key areas where DevOps implementations might get stuck. In our experience working with IT organizations within Fortune 500 companies, cybersecurity has become a mandatory function. However, reminiscent of the friction between development and operations that started the DevOps movement almost a decade ago, cybersecurity, as a shared service, is the next critical functional interaction to get right as organizations operate under increasing customer and business demands, with shortened business cycles.
As DevOps practices like Continuous Integration (CI) and Continuous Deployment (CD) gain more traction in organizations, cybersecurity needs to evolve so that every type of delivery or technical change has security built into solutions from the start. Often, “security” becomes a bottleneck as a side effect of “securing” or “hardening” components post-development. On the other side of the functional divide, delivery organizations typically lack security awareness. Some in this group might believe that the cybersecurity organization will impede or block deployment if there are security related issues discovered in the later stages of delivery.
Cybersecurity adversaries have created entire business ecosystems that are persistently scanning and attacking any vulnerable asset automatically for an immediate return on investment. Compromised data is then cleansed and combined to make it as useful and valuable as possible. The old saying, “We have to be right 100% of the time, and hackers only need to be right once.” is very real.
In this new persistent threat landscape, adversaries have automated virtually every aspect of the unified kill chain to exploit and collect your assets. A kill chain is a visual representation (shown in the next figure) of the steps an adversary takes to model an intrusion against a network. From a defensive perspective, we can also automate security at each step by deploying countermeasures and controls by default during deployment. Defensive automation increases the cost and time it takes adversaries to be successful, which consequently reduces the loss magnitude of customer or corporate data. Automating security by default enables teams to focus on developing innovative solutions to customer problems while knowing that when they deploy to production, all hardware and applications have been securely provisioned and configured for them using actual organizational threat intelligence.
Given this new reality, we’re convinced that DevOps must become DevSecOps, incorporating a predictive and proactive cybersecurity mindset. This implies that security is automatically configured through the DevOps pipeline with built-in tools for detecting potential vulnerabilities, and including technical components that automate an attack response.
For most organizations, the average time from detection to remediation is over six months. Without automation, those organizations have already lost valuable data and lost the time and expense required to investigate, remediate and recover compromised assets — a process that can be extraordinarily expensive and time-intensive.
To better illustrate this point, I’ve included an attack diagram by Trey Blalock of Verification Labs that shows the flow of an attack through a sample organization’s implemented security controls.
Obviously, each organization has different security controls and tools, but this illustrates the importance of rethinking where we weigh our priorities and projects toward preventative security, thus reducing our reliance on slow and manual processes and tools for incident response.
The left side of the diagram is entirely the realm of DevSecOps and in control of the technical teams to implement. This clearly shows that a majority of the cybersecurity budget should be invested here for improved, automated security while reducing the resources required to combat attacks.
So, what can we do?
Shifting to proactive security requires an organization’s culture to become more collaborative across the business through the practice of DevSecOps. We must fundamentally change how we design and deliver security by building it into the release process.
The right answer is to embed security, as a shared service, into the teams that are building the product and implement “by default” security capabilities through a single continuous delivery pipeline. Since all development teams use these tools to push features into production, the organization’s current security posture and inventory are always understood and available in real-time.
An initial capability may be creating a tool to automate a manual and time-intensive task, but from there we can build those tools into a DevOps pipeline. This ensures the adoption of the latest security controls and best practices as a function of deployment.
Functionally speaking, cybersecurity capabilities typically fall into three categories.
- Security by default: when you deploy to production, secure configurations for both application and hardware are automatically set. Security tooling is built directly into the pipeline and deployed with the release.
- Automated defense and response: The production environment assets can detect anomalies and take automatic action before alerting the Security Operations Center (SOC(. These automated protections may include blocking an IP, making a forensic snapshot before an asset rebuilds itself, or even isolating itself from the internal network when a transfer limit is exceeded.
- Self-service: most organizations have services they provide to internal customers. We should always seek to build cybersecurity-focused self-service tools to improve customer satisfaction and reduce time to delivery. If we design self-service correctly with accessible APIs, automation naturally evolves over time.
In practice, once you make the mental shift left and begin to automate through your DevOps pipeline, teams will come up with new ways to improve the time to deliver value. This is not complicated, but overcoming the potential gravity of the status quo is sometimes the most challenging aspect of teams trying to innovate. With good leadership and a clear commitment to the DevSecOps principles, organizations can be successful in reducing cyber risk, while increasing their agility and ability to meet customer demands.
###
If you would like a simple plan for your organization, Arrowhead Labs has an extraordinary breadth of experience from Engineering to Cybersecurity and Product Development. Our teams can engage from assessment to coaching to provide you with clarity around your strengths and organizational issues and provide a prioritized plan for transforming. Ultimately, we save clients money, but more importantly, reduce the time it takes to realize a brave new world of on-demand capabilities. Leverage Arrowhead to be your competitive differentiator.
