The Necessary Evolution of SecOps to DevSecOps
By 2021, cybercrime will cost about 6 trillion dollars a year. With an ever-increasing amount of ways to connect to your network, IT security teams must be able to secure and mitigate this risk. Many household names like Marriott and Equifax were breached just this past year and these breaches are costing untold sums.
Clearly, manual intervention isn’t the answer. Increasingly, we need to prioritize security concerns at earlier stages of the software development lifecycle.
How Did We get Here?
In the past, it was relatively easy to secure a network by establishing boundaries and ensuring it was locked down tight. Fast forward to today and that once fully protected network now expands beyond the firewall. You have public clouds, private clouds, hybrid clouds, community clouds and each has a multitude of devices that connect to endpoints distributed in every corner of the world. Your network is now open to even more risk and forces you to mitigate each potential vulnerability to keep it secure. Today’s new perimeter needs to be buttoned up with operations and security collaborating to create a secure network.
To meet these new security challenges, companies have been combining the goals of Security and Operations teams to form a new approach called SecOps.
SecOps promotes increased collaboration between Security and Operations to integrate the technology and processes that keep all systems and data secure. Combining Security and Operations makes sense because of the wider footprints cast by companies today.
Given your company’s ability to scale to infinite endpoints and resources, you can’t look at security as just something to get done, or an afterthought after projects are launched. If it is, getting hacked and paying $600k like Riviera Beach, Fla. becomes more likely.
SecOps seek to strengthen security at the start of a software life cycle rather than taking the legacy approach of having a separate security phase and splitting it into responsibilities. It is intended to be implemented as a company-wide management methodology across the entire product life cycle in a collaborative effort.
Like its counterpart DevOps, SecOps practices seek to automate the manual tasks, but here the focus is only on security-related tasks. These include monitoring for cyber threats and faster incident response to improve the security posture of the entire organization.
DevOps is a set of practices that enable companies to deliver value faster to their customers with more reliability and consistent standards than in the past. Instead of Operations having to manually build infrastructure, they work with developers to automate the process via code. With manual setups, days or sometimes weeks could go by before code can be tested and deployed. With DevOps, the goal is to automate this process and build systems that are abstractions of the underlying complexity.
Due to increasing threats in 2020, companies are investing more to improve security. Part of that increase is learning how to leverage the practices and tools that DevSecOps offers.
DevSecOps allows teams to quickly identify potential security issues during the development process rather than after the product is released. These earlier insights enable companies to patch vulnerabilities prior to releasing software to the public.
In many organizations, we find developers are checking in code daily and automating tests to make sure it works as intended. The problem here is no one is looking at security. With DevSecOps, you now have an avenue to automate security checks. Developers check-in code, smoke and integration tests pass. Next, a slew of additional security tests are run and if they pass, this code can be deployed to production. If they fail, the code is sent back to the developer to fix. In this scenario, there is less risk of the software being deployed with security flaws.
Implementing DevSecOps reduces costs by finding security vulnerabilities early in the development cycle. It ensures there is an automated way of reviewing your code and empowers developers to use secure design patterns and principles at the earliest point in the process. This is very important. You are teaching your developers to write great code and consider security, which in turn reduces costs and increases value. Additionally, you are regularly tearing down infrastructure and rebuilding it in an automated fashion. For example, you start by checking-in code to build your product. Security tests are run and everything passes, so you deploy and then uncover a security flaw. You quickly check-in code that patches the flaw, run all tests and redeploy. Because you are leveraging DevSecOps, you can quickly redeploy with significantly less manual intervention.
Implementing any change can take time. Your first steps are to break down silos between Operation, Security and Development teams. Once these teams are aligned, you can institute even more change by combining Operations and Security. Initially, this can be manual until you have established a clear roadmap.
Once complete, you bring Development into the fold and begin to work through the process of producing infrastructure as code that includes security. Over time, you should be able to easily build and tear down your entire product in code. This will allow you to react and mitigate any risk. It won’t matter where the risk lies because you can quickly add a test case plus a fix to your code and run tests. If they pass, you redeploy your code and lockdown that risk immediately. As more security issues arise, simply rinse and repeat.