Rajiv Kapoor, Senior Product Marketing Manager, NGINX at F5, explains how security can be better integrated into DevOps.
Development teams are increasingly using advanced technologies like cloud computing and microservices, in conjunction with DevOps principles, to innovate faster and remain competitive.
But such progress sometimes comes at a cost. The fast pace of DevOps has left security teams scrambling to keep pace and still install appropriate guardrails. Traditional security practices used to occur in the final stages before release. This no longer works as well with the rapid release cycles of agile software development.
Meanwhile, the speed of development is fast outpacing the rate at which security teams can check configurations and scan for vulnerabilities, especially as developers now outnumber security professionals 500 to 1.
Additionally, modern application environments represent a nearly infinite attack surface.
The pressure to keep up securely, has led to a gradual reframing of DevOps as DevSecOps, where security is “shifted left” and introduced earlier in the software development lifecycle.
Unfortunately, while most businesses understand the intent of DevSecOps, they are still unsure how to go about doing it. In fact, just 14% fully integrate security throughout the software development lifecycle.
Recent research also shows that, while 65% of security teams report shifting left, less than one fifth are doing the scans necessary to verify this. The same report suggests that most security teams don’t have the processes to monitor and protect cutting edge application technologies, such as microservices, APIs, and cloud-native/serverless.
Lack of visibility leaves security organizations running blind when problems surface in production. Thelater in the development cycle vulnerabilities are discovered, the more costly it is to fix them. A study by IBM System Science Institute suggests that fixing a defect found during implementation can cost six times as much as one identified during the early design phases. What’s more, a defect uncovered in production can cost 100 times as much.
Even more disturbing, nearly half of enterprises admit to deploying vulnerable applications to meet tight deadlines.
It’s clear that compliance and security oversight are often overlooked, and even deliberately avoided, in favour of faster and more frequent deployments.
The great DevOps-SecOps divide
One of the most significant issues lies with ingrained perceptions. In the past, teams worked independently, with rigidly scheduled handoffs between distinct phases. Security operations (SecOps) teams often introduced security functions only during the final stages of the development and release process, which resulted in delays.
Successfully putting the “Sec” into DevSecOps hinges on changing older cultural biases, reinforcing the need to embrace security, and empowering teams with the right tooling and automation to make smarter decisions without slowing down the entire organization. In essence, DevOps and security teams are all aiming for the same goal – a high quality, timely product. The difference lies in how they are used to measure and define what that means.
The truth is that development won’t be slowing down any time soon. 38% of developers now release monthly or faster, and 54% of containers live for five minutes or less. Continuing to view security as a separate entity bolted onto the code, instead of a key feature that must be embedded end to end, slows processes down and reduces efficiency.
Bridging the gap to deliver speed and security
The core questions for app security are: What makes it easier for DevOps teams and application security teams to collaborate? And what does built-in security really look like?
For organizations that want to improve their DevOps security, here are some key points to focus on:
• Automate security as much as possible. Invest in security solutions that can be embedded directly into the CI/CD pipeline using automation. This makes it easier to secure apps without having to sacrifice development speed for the sake of security. Adopting technologies like static code analysis, dynamic analysis, and pen testing reduces risks and alerts developers to potential problems. There will never be enough security professionals to handle all security issues on their own, so use automation whenever possible.
• Build security as a guardrail, not a gate. Provide appropriate guidance and tooling, so that security becomes a guardrail rather than a gate. For example, ensuring that DevOps teams have access to templated policies enables them to align their applications with security requirements from the outset, without adding unnecessary time to development. Applications and security policies can also be tested as part of the CI/CD pipeline, so they are checked like any other functional specification. In short, it’s important to provide developers with everything they need to create and test applications with the appropriate security controls applied, or they won’t do it. Empowering development with a better understanding of security and self service compliance reduces vulnerabilities and risk to the organization. Developers always want to drive faster, so make it possible for them to speed safely.
• Abstract security to enable more proactive responsibility. The average developer cannot be expected to have the level of expertise necessary to stay current with all the latest security trends—they have enough trouble keeping their programming skills up to date. Reduce complexity and make it easier to gain developer buy-in by selecting solutions that provide simplified, easy-to-understand insights within the CI/CD feedback loop.
• Make security adaptable, scalable, and reliable. Secure applications with solutions that offer consistent, centralized, and self-service security for any environment. For example, AI-driven security policy engines are one way to enable the adaptability necessary to support rapid change in applications resulting from CI/CD methodologies. Being able to adapt security policies in response to the latest attacks and identify dependencies makes it easier to assess risk and take action faster.
The dawn of frictionless and adaptable security.
Gone are the days when security could simply be bolted onto a process. Today, integrated security must become a normal part of any DevOps implementation. Making security frictionless and adaptable enables development teams to power ahead without fear. Modern application security can be a robust support system that empowers organizations to reach their business goals and guides them to even greater heights.