Creating secure software and systems has never been more challenging. An explosion in the number of devices that hook into company data, coupled with increased mobility and a shift to cloud services and storage, has dramatically increased the potential attack surface of most organizations. More than 9 billion data records have been lost or stolen since 2013, according to the Breach Level Index.
The rapid pace of change means that security guidelines and government regulations often become outdated before they’ve been widely implemented. Cybersecurity is a race and the attackers have a head start. We need to adopt a new approach, which factors in what we’ve learned from the rise of DevOps – chiefly that breaking down barriers, boosting collaboration, and increasing automation works.
Tearing down walls between development and operations has eliminated a lot of wasted effort, enabled a closer alignment of goals, and increased the quality of final products. Automation has reduced error rates, while simultaneously increasing the speed of delivery. Tacking security on at the end of development is clearly not working, so why don’t we break down that wall as well? The natural, holistic approach is to pursue DevSecOps.
Integrating security into DevOps
There are many challenges to overcome when you fold security into your DevOps setup, but with the right approach it’s eminently achievable. We need to start with a mindset change and reorganize the way we manage people, processes and things. Cultivating security awareness in every task that’s undertaken requires commitment. A small cross-functional team that includes security should be empowered to do everything they need to do to realize DevSecOps.
The right technology tools can provide an automated framework that’s reliable, consistent and fast. Automation doesn’t just reduce the risk of human error, it also enables faster and more frequent releases, and it creates a clear audit trail for maximum transparency. Many attempts to improve security fail because they’re restrictive. Automated security management offers a new route.
Building a secure foundation
Automated security testing enables you to check for known issues and mitigate before release. Consider that known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all such incidents, according to BMC research. Time and time again we hear about a failure to patch a known vulnerability as the root cause of a big breach. Equifax had nine working weeks to patch the flaw that caused its massive data breach, according to The Register.
Running automated security tasks right from the inception of any new software development can eradicate this kind of risk entirely. Cybercriminals target the low-hanging fruit, so proper patching and eliminating known vulnerabilities makes your organization less of a target, particularly if your competitors have failed to take the same action. Starting with a secure foundation allows you to build something solid and it’s far cheaper and quicker to deal with issues early than to retrofit a fix.
Boosting security through automation
Attitudes won’t change overnight, but eliminating siloes to make DevOps possible has allowed many organizations to reap the rewards of closer collaboration. There are knock-on benefits, particularly from automation, because it frees up your expertise to innovate. The HP LaserJet Firmware team, for example, was able to increase new feature development by 700% after adopting a continuous improvement initiative and investing in automation.
As the DevOps movement evolves and matures, the benefits of true organizational alignment are becoming better understood. Early collaboration and a culture of awareness allows for greater integration, and automation is a by-product of those values. Every aspect of your company should be pulling in the same direction to create maximum value, and that must include security.
Last year Gartner suggested that security was an afterthought for 90% of companies using DevOps, but predicted that more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages by 2019.
Early adoption of the right security tools and an effort to make security a core part of your company values will pay dividends for your reputation and customer satisfaction in the New Year.
About the Author
Dr. Ravi Rajamiyer is Vice President of Engineering for Cavirin Systems, a provider of continuous security assessment and remediation for hybrid clouds, containers and data centers. Ravi previously held product development and R&D responsibilities at Yahoo and VMWare. He holds a MS from Indian Institute of Technology (IIT) Bombay, and a PhD from Washington University, St. Louis. Contact him at ravi@cavirin.com.