It wasn't so long ago that the DevOps and cloud deployment models first appeared. Since then, they have raised many questions and challenges for enterprise DevOps, particularly in security.
One challenge is to bring DevOps and security together, as DevSecOps. DevSecOps seeks to make security part of the software development lifecycle so that it's not just an afterthought, making it a critical component of what the modern information security professional needs to succeed.
At its core, DevOps is the practice of reacting quickly to the business's changing requirements, expectations, and environment. As business expectations change, so must the code that runs and protects the business. Being able to anticipate the business's requirements and proactively patch or upgrade is crucial for running applications across clouds.
So how do you ensure that developers are delivering secure code to production? DevSecOps requires a new security-centered mindset for developers, who then need the means for securing the software in production.
Here are some of the new security practices my team has seen that will help the progression of DevSecOps.
Shifting security responsibility
All developers should understand the importance of security in the code they write. Secure code enhances the value of software, and developers need to understand that poor security practices have harmful consequences. The continuous delivery of secure code involves using security tools, services, and platforms to identify vulnerabilities while still moving the software at the speed of business. The focus shifts security left toward the development phase.
Nonetheless, the development and delivery of secure code must continue throughout the lifecycle of applications. For example, it is critical to have security controls built into the new software for data in transit, device management, user authentication, and access control. And cloud and containers, both of which have become critical elements of the DevOps model, have their security considerations that must be fully understood.
Whenever possible, development teams should work with the release engineering team to establish an automated process for responsible software releases, meaning each release is automatically evaluated for its security posture.
Deployment is best done at scale, using a centralized policy engine managed by the DevOps organization for on-premises and cloud deployments.
You also need to figure out your DevSecOps strategy and how it affects your engineering, operations, and customer security. You need to identify the security risks you are facing and how you can prevent them. It would help if you created a platform-based security strategy to keep up with evolving security trends. Your platform-based security strategy must be agnostic to the application stack you're using and platform-agnostic to the endpoint you are securing.
It would be best if you prevented attackers from leaving the network and continuing their activities elsewhere, often by tracking them through a global threat intelligence network. You need to know about their targets and infrastructure and prevent them from doing it again. If you fail to do so, they may gain a foothold in your infrastructure and scale up their activities as they find them to be an attractive target.
Your infrastructure, application services, and network security need to be cloud-native, DevOps-enabled, and software-defined to improve scalability and flexibility and speed up your DevOps transformation. You need to make these elements part of your security strategy and implementation, and you need to get involved in the DevOps community to collaborate and share knowledge. You must also ensure the maturity of your DevOps and cloud deployment model and share experiences across the entire development, testing, and deployment lifecycle.
You must also communicate DevSecOps, CompSecOps, and CloudSecOps to your development, operations, and security teams to ensure everyone understands the context of your strategy and your existing agile release management practices.
Set your goals
In addition to being aware of all these issues, it is imperative to review all of the security processes that companies are using. This may include reviewing and auditing existing systems or reviewing existing infrastructure and remediating any problems.
Without a goal in mind, you should not expect these changes to happen quickly. Nevertheless, as the DevSecOps movement gains traction, we will see continued progress.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
