Accelerating Vulnerability Management through SecDevOps

Vulnerabilities are all around us. This has always been the case, but since the novel coronavirus (COVID-19) led to massive global changes, small vulnerabilities have led to major disruptions in businesses of all sizes — a problem that won’t disappear anytime soon: new post-COVID forecasts predict that cybercrime costs will hit $6 trillion annually by 2021. Furthermore, as the world continues to shift to remote work to ensure software development continues to prevent further business disruption, there has been a direct increase in the average cost of a data breach by $137,000. And this is not a problem felt by the few, but rather by the many as 80% of businesses expect to be breached.

These figures demonstrate that cybersecurity is not a nice to have, but a must have from the start of the development process rather than as an after-thought. And with the new norm of remote work due to COVID-19 — which will persist even as we emerge out of our pandemic routines — Development and Security teams have begun to work on asynchronous schedules causing the existing pain of already manual security processes to be exacerbated. SecDevOps must be implemented to ensure that application security and development teams can operate at their full potential no matter what the workforce structure.

What is SecDevOps Going to Do for Me?

The goal of SecDevOps is to have both developers and operations working toward creating software that is more secure as part of their daily routine. By integrating security into each phase of the development lifecycle, teams are able to prevent and manage vulnerabilities proactively instead of once code is in production — which is always too late. When organizations move beyond DevOps to SecDevOps (Secure DevOps), it aligns everybody to understand that security is not optional, but a requirement, giving them the information they need to know to be able to execute it effectively and efficiently. SecDevOps allows the organization to sustainably scale Application Security and decrease business risk — not just by reducing the attack surface and opportunities for bad actors to cause a breach, but across all operations by reducing project delivery risk and improving time-to-market.

SecDevOps allows the organization to sustainably scale Application Security and decrease business risk — not just by reducing the attack surface and opportunities for bad actors to cause a breach, but across all operations by reducing project delivery risk and improving time-to-market.

You Can’t Have Vulnerability Management without SecDevOps

In a SecDevOps system whether teams are co-located, distributed or fully remote, deploying and enforcing security policies is never an issue. Integration of the security processes into the SDLC ensures that development understands the correct policies for their projects and features from the start, and automation not only ensures the right controls are enforced, but also prioritizes vulnerability remediation based on the severity and criticality for each project — not just as another item in a list to be fixed.

Without SecDevOps, vulnerability management systems lack the context to effectively manage security debt based on the needs of that application, and ultimately can’t provide build governance when the security standards aren’t met — remaining reliant on the manual checks by Security that can’t keep up with today’s pipeline velocity, ultimately just pushing the problem elsewhere.

To reduce costly late-cycle security escalations and improve the outcome of each development cycle, SecDevOps functions to prioritize the following high-level key points:

• All for one, and one for all. If Sec, Dev and Ops are the 3 Musketeers, SecDevOps is d’Artagnan identifies application security issues and brings them together to solve them issues (or a more modern interpretation — if Sec, Dev, and Ops are Charlie’s Angels, SecDevOps is Charlie. You can decide which Angel is which).
• Application security policies must be well defined across the entire company. Well defined does not mean “a lot.” Rather, it means having clarity on when it should be applied, and how it aligns with a project’s strategic concerns. This allows all parties to understand what needs to be done for each project at each stage to deliver a quality product, on-time.
• Automation is key to scaling SecDevOps. “People. Process. Tools.” Is not a new mantra in software, while initial steps can be taken through simple processes, ultimately, to keep pace with today’s pipeline velocity, SecDevOps processes must be automated end-to-end in the SDLC. Without automation and orchestration, SecDevOps will become another bottleneck as it scales across the enterprise — no matter the size of the company.

Without SecDevOps, vulnerability management systems lack the context to effectively manage security debt…remaining reliant on the manual checks by Security that can’t keep up with today’s pipeline velocity,

Mature your AppSec Program with SecDevOps

While SecDevOps is easy and practical to deploy, it is not a set it and forget it system — you must take the feedback to continually improve your application security and software development processes. A well deployed SecDevOps program will ensure you have closed loop feedback not only to monitor real-time policy compliance, prevent bottlenecks, and provide predictive analytics to plan for vulnerability remediation efforts.

While vulnerability management processes tend to be seen in DevOps cultures as something that will slow down development progress, in reality that is the furthest reality from the truth. Even the simplest implementation of SecDevOps will quickly show companies that they don’t have to boil the ocean to deliver more secure code by integrating application security policies into their existing workflows to get control of vulnerabilities as part of their technical debt and even prevent them from ever being created.

Originally published at https://wabbisoft.com on September 10, 2020.