Dev and Sec and Ops – Oh My!

Em Devsecops Blogimage V1.0

Pay no attention to the automation within the cloud

Security work is never done. New threats, new attack surfaces and staffing shortages make it difficult for many organizations to keep up with patching, scanning and maintaining cybersecurity defenses.

Consequently, the concept of DevSecOps (Development + Security + Operations) is gaining momentum. The need to “shift-left” is causing organizations to look for ways to automate security functions and upskill their development staff to meet business expectations. The movement toward building security into code at every stage of development is considered an evolution of the DevOps discipline and culture.

75% of senior executives and development practitioners believe that manual processes for security and compliance hamper the ability to get new products to market.1

The cultural shift to DevSecOps can be difficult. Many companies still view security as a “last mile” problem. They have an established monolithic security gatekeeping function required to evaluate release candidate code. Each software product is independently evaluated, and all issues detected must be formally resolved before final release. This approach can be a source of bottlenecks in the release process. 75% of senior executives and development practitioners believe that manual processes for security and compliance hamper the ability to get new products to market.1 Developers must “hurry up and wait” until the security team’s independent review/fix cycle is complete.

Implementing DevSecOps comes with challenges, both technical and cultural. Establishing guidelines for secure coding, resiliency and privacy by design can cause friction between disciplines that have traditionally been motivated by different goals and responsibilities. The expense associated with building effective automation platforms is not a one and done exercise – it requires committing to a strategy, budget and staffing to realize benefit over time.2

Successful DevSecOps cultures commit to developing custom continuous improvement and development platforms (such as CI/CD) to automatically identify and remediate security vulnerabilities. The development team takes full ownership of testing and resolution of issues as code progresses.3

Companies that focus primarily on manual remediation techniques can develop “alert fatigue” and let 96% of automatically detected issues go unresolved. However, by using “remediation as code” techniques, 80% of the issues detected are resolved before having to adopt more manual remediation approaches.4

Additional incentives for creating a strong DevSecOps discipline and automated remediation is to free up cybersecurity resources to create and monitor cyber-defense systems that are independent of the development process. These areas include:5

  • Patching software to mitigate known vulnerabilities
  • Implementing multi-factor authentication to remotely accessed networks
  • Establishing and enforcing user privilege guidelines, especially for administrator and privileged accounts

User privilege and access is also a major area of concern for cloud management. An analysis of hundreds of cloud deployments revealed the following basic mistakes:6

  • 93% misconfigured cloud storage service
    • 41% hardcoded keys with high privileges
    • 89% overly permissive identity and access management policies
    • 100% misconfigured routing rules
  • 72% hardcoded private keys
  • 91% open security group

These misconfigurations are often the root of data breaches. Bad actors detect hardcoded keys or find ways to leverage permissive user settings and exfiltrate sensitive data. Clouds also tend to “drift” overtime as 90% of users make changes to the environment at runtime that affect permissions and resource utilization.6

Creating a strong DevSecOps culture supported by automated detection and remediation policies has the potential to eliminate common errors, such as hardcoded keys left in place during coding, and build more effective cyber-defense strategies. By shifting left and addressing security continuously across the development cycle, your company’s intellectual property and operations will be less vulnerable to cybercrime.