DevOps helped revolutionize the software development world. It was a new Big Bang, bringing together Agile methodologies with new process efficiencies, modern technology and powerful cultural change to entirely up-end an industry.
But as we all know about technology, it only gets more advanced. DevOps might itself have been a revolution, but now that revolution needs its own revolution. Indeed, for your organization to remain ahead in the modern era, and stay protected from the rising threat of cyber attackers, it must evolve from DevOps to DevSecOps – and here’s why.
Read more: “Is German cyber security ready for 2021?“
DevOps: What our world looks like right now
DevOps gave us new tools to join the Dev and Ops teams together in a continuous feedback and improvement loop. Combined with advances in technology (like the cloud), suddenly app teams on both sides of the coin were able to drastically increase both their speed and quality – iteratively improving with every journey through the loop.
It worked. Until it didn’t.
Well, to say it doesn’t work is an overreach – but modern DevOps lacks a critical component, and that’s security. This is where DevSecOps comes in, where we integrate cyber security experts into that same infinite loop so that they can share their knowledge at each stage of the development cycle (no more waiting for a security gate at the end of the Dev process).
We’ll talk more about how to integrate security into DevOps further down this article, but for now let’s focus on why the lack of integrated security is such a problem.
The problem with a world without integrated security
The SolarWinds hack is a perfect example of why deficiencies in cyber security can lead to a huge problem for software teams.
In the attack, Russia-backed hackers were able to subvert SolarWinds’ Orion build environment and insert malicious code that went undetected for months. Sunspot, as it was known, silently watched the build server for commands and, eventually, replaced some of Orion’s source code with malware, dubbed Sunburst. By the end of 2020 when this was all discovered, the hackers had been planning, testing and implementing their attack for over a year.
Over 18,000 infected customers and a digital supply chain in panic later, we’re still seeing the damage of this attack unfold. And, unfortunately, it was able to occur due to a lack of certain security practices in place at the SolarWinds end. This included the team using insecure ftp protocols for file transfers, accidentally leaking a critical server password (which itself was weak in the first place), and using out-of-date computers and operating systems.
But SolarWinds didn’t have no security in place – so why weren’t the Russians detected?
Namely, the hackers entered the Orion platform before it was even a platform; infiltrating the build environment made conventional security measures useless.
For example, updating software to the latest version couldn’t help because the bug was in the new patch.
Then, only installing signed versions of the software couldn’t help because the software was signed.
Finally, reviewing the source code itself couldn’t have helped either, or wasn’t a sure thing, because the changes were designed to look like the expected code. To the human eye, all appeared normal. Plus, the attackers were in the build environment – they could have inserted Sunburst without it ever being visible.
Bringing this back to DevOps
State-backed cyber terror attacks are on the rise. Microsoft found in its Digital Defence Report that they are well-funded, well-trained, and willing to play the long game in order to avoid detection.
That’s not to mention the fact that each year, we see more and more malware variants out in the wild (the German federal government noted that it had observed 117.4 million new strains in 2020, compared to 114 million the year prior).
Security cannot be an afterthought, and it can’t be second to other development problems. As SolarWinds teaches us, the ramifications are brutal for companies that aren’t able to harden their systems to defend against modern attackers.
The solution? Integrating real-world security expertise into the DevOps loop.
Integrating Sec into DevOps
Most Dev teams have the expertise they need to produce high-quality apps that meet company and regulatory requirements, but security is its own, separate discipline. It requires careful study, years of experience, and full-time dedication just to keep up – let alone stay ahead.
If you don’t know what to look for, how can you look for it?
Across most organizations, security – where it exists at all – is often a siloed team that acts as a gate at the end of development. They’re a go/no go step and if the app fails, it’s back to square one, costing time and money to fix. This, as you’re no doubt aware, is highly inefficient.
Dev teams need a revolution. Bring security expertise into the pipeline right from the design phase. Give the Sec teams a voice at each stage of development, invite them to standups and important meetings. Instead of fixing big errors too late, you’ll be fixing little errors as you go.
But won’t that push our budget and timelines?
Integrating security from the early phases will increase the time and effort required to get an app to the Ops team. But, when you compare it to the comparative cost of not having it, the extra effort can pay for itself.
Putting this in numbers: If a bug is caught at the coding phase of development, it will cost five times as much to fix than were it caught earlier. Move to component testing and that increases to 10 times, then 30 times if you get all the way to post-release. That’s a 3,000% cost increase that could have been avoided.
If the Dev team isn’t able to identify where security issues could arise with their new app, the Ops team can’t monitor for those vulnerabilities.
It’s a fact of the job that security issues can’t always be eliminated in the development phase, so Ops needs all the tools it can get to continuously monitor and respond quickly. To look again at SolarWinds, hackers were in the system since 2019!
This goes for configuration, too
The Dev team has to be able to make it clear to Ops what services on their side should be disabled when they’re not needed anymore (i.e. open ports).
Then, when Ops has everything it needs to monitor and detect rapidly, it supercharges that continuous feedback loop. Say Ops detects an issue with the app a week after release – this obviously isn’t good enough. So, that feedback is passed back to the Sec team who works with Dev to put an improvement into the works. Next time, that time to detection is cut in half, then half again, and again, getting closer and closer to real time detection. This is an infinite DevSecOps journey.
5 key steps you can take right now to implement DevSecOps
- Threat modelling: Start asking “What could go wrong?” at each phase of development, using the existing data flow to identify vulnerabilities and mitigate them along the way.
- Know your risks: OWASP collects data annually to produce a top 10 list of security vulnerabilities to be aware of. You can find those here.
- Join the open source community: Going open source might feel like a strange step, but taking advantage of the growing online community sharing knowledge and resources could save money. There will be more eyes on your code, which means more people able to check it for potential errors (and more people to feed knowledge back into the DevSecOps loop).
- Adopt secure SDLC: It’s time to adopt secure SDLC best practices. That means secure code repositories, pair coding, static code analysis, software component analysis, and learning SAST, DAST and IAST.
- Identify skills gaps: It’s OK if your Dev or Ops teams have skills gaps when it comes to security. As we said, this is a discipline all on its own. While you may need new security expertise to join your business to help you get to where you need to be, identifying the current gaps in your teams can help you plan out what training they need to turn everyone into security champions.
It will take a push, but you don’t have to do it all at once
Integrating Sec into DevOps will require a significant amount of change – a whole new operational mindset. It won’t happen overnight.
Integrate little by little, increasing awareness in both teams. Agree on the approach and training required. What new expertise do you require? Who do you need to hire? How long will that take? Piece by piece, you’ll get there.
Getting security in the door – fast
Getting there over time is important, but the enemy is at the gates already. That’s why it might pay for you to investigate what third-party experts are out there already for you to up your defences while you train your people.
At dig8ital, we have security experts on standby ready tailor a unique security solution to your organization’s needs. We’re experienced getting Sec into the DevOps pipeline and managing the inevitable change resistance that can follow – which is totally normal. We’ll work hard to integrate this new component into your existing pipeline without threatening the people who are already there.
But we won’t ask you to waste your time if we’re not right for you. Contact us today for a free maturity consultation and let’s see how we can work together.