Turn DevOps into DevSecOps without sacrificing automation
As DevOps matured within organizations, the process became efficient and fast, but security ended up falling to the wayside. In this article, Gary Stevens explains why security is infiltrating DevOps and how the growth of DevSecOps creates a noticeable drop in the rate of data and security breaches.
As cybersecurity permeates the global conversation and hackers evolve at frightening rates, the desire to prevent data breaches is at an all-time high. Evidence of this mindset is seen in the statistic that 24% of IT teams are transitioning their DevOps to incorporate a cultural security shift.
This process of automation and change has been dubbed DevSecOps and is the next step in DevOps culture. Expect it to be one of the biggest trends of 2019.
Reasons security is infiltrating DevOps
Security as a top priority
In the digital era, security jumps to the forefront of company concerns. From viruses like Wannacry impacting 100,000 groups in 150 countries to the average user receiving 16 malicious emails per month the need for a shift to security-consciousness as a core practice in organizations seems obvious.
No industry understands this better than cryptocurrency. Cointhumb lost $32 million of their customers’ currency via a hack. Roughly $1.1 billion worth of cryptocurrency was stolen in the first half of 2018 alone.
We’ve seen companies have to shut down from cybersecurity attacks. In 2014, Code Spaces suffered a massive DDoS attack and was held ransom by the anonymous hacker – forcing them to shut down.
And if an outside threat doesn’t take your company down, insider threats might. On average, 2,500 internal security breaches occur in US businesses every day. IT experts consider these to be a preventable issue.
The General Data Protection Regulation (GDPR) officially went live on May 25th, 2018 and with it came widespread changes to Europe (and the world’s) consumer data landscape. The two main goals of GDPR are to protect EU citizens’ data privacy and reshape the way organizations approach data privacy and security.
With the new regulation came the chance to be fined at astronomic levels. Google found out when it was dinged with a $57 million penalty in early 2019 and Facebook is currently being investigated for GDPR violations
Growing regulations force companies to integrate security processes throughout their entire company culture, leaving DevOps nowhere to go except for DevSecOps.
DevOps is more effective
An EMA report found the main benefits of DevSecOps were better ROI than existing security protocols and improved efficiency across security and IT processes. Another benefit was the ability to use existing cloud services to a higher degree. Cloud storage is more secure than alternatives.
DevSecOps is more of a culture shift than a set list of tasks to be performed. The object is to improve the overall quality of security and productivity rather than using “bolt-on” security methods.
In 2018, Logz.io performed a survey asking IT organizations about their DevSecOps integrations. Around 76% admitted to not practicing DevSecOps or were still in the process of implementing the practice. The biggest obstacle to moving towards DevSecOps is knowledge
From the study, 71% percent of respondents said they didn’t feel like they had proper knowledge of DevSecOps practices. This number is expected to shrink as security automation improves and the practice becomes widespread enough to provide readily available knowledge bases.
The 2018 DevSecOps Community Report glaringly revealed how human our developers are. Errors and bugs are still as common as ever. The report showed that 48% of developers don’t actually have time to work on security and most don’t want to work on security.
CTOs and managers should allocate time during design and the early stages of development to work on the cultural shift to a security mindset. Vigilance towards what can be automated will help the problem as well. By automating recurring tasks, it is possible to create a process flow and create trails that allow easy auditing.
Luckily, as security concerns continue to grow and as security becomes more integrated into the DevOps process, more tools are created to automate security tasks.
Tools to automate
Automation doesn’t have to be sacrificed for security. If you want a deep dive into the tools available to DevSecOps check out Christian Schneider’s session at DevOpsCon. Here are some of the best-rated tools currently available to incorporate security into your development process:
- Continuum Security: Consists of two Modules and helps manage and test the security of products.
- ThreatModeler: ThreatModeler has a set of dashboards which allows everyone to touch application security.
- Checkmarx: Offers solutions for developers and DevOps engineers that incorporates security code analysis and testing into the development process.
- IMMUNIO: Deploys an agent inside a company’s software and attempts to find possible exploitations.
- Aqua Security: is a security platform that specializes in containerized applications and their infrastructures.
- Gauntlt: Allows companies to make tests that can be used in the deploy and testing processes.
- CA VeraCode: Designed to cover most needs of security officers and application developers.
Other easy steps
Luckily, there are multiple quick and relatively easy steps to integrate security into your processes. Team members should already be using malware recognition software and the days until everyone who goes online uses a VPN are dwindling. Already more than one-quarter of internet users worldwide deploy its protective data encryption features. With 91% of cyber attacks starting with a simple email, educating non-technical (and technical) team members on the dangers of phishing and other types of social engineering is a must.
Simulating an attack before it happens can fit nicely into a DevOps process. This is the practice of exposing your weaknesses before real hackers do and revealing which areas of security need to be improved. An example of penetration testing team is from Nick Ismail. In this test, 14 of 6,000 employees were sent a link to a fake website under the guise that it was the company’s. Out of the 14 employees – 8 clicked on the link and entered their information. Fail!
As DevOps matured within organizations, the process became efficient and fast, but security ended up falling to the wayside. Now that data breaches with serious consequences have forced security into the spotlight and a sort of panicked, focused evolution, the trick is to incorporate it into DevOps in a way that allows agile development to still exist. The end result, of course, is that the growth of DevSecOps creates a noticeable drop in the rate of data and security breaches.