There is no greater urgency in business today than to move everything to the cloud. The ubiquity of this cloud imperative is fueling an almost frantic pace of application development as no business wants to be left behind. But organizations are discovering that the velocity and speed of their digital transformation may also come with a high price: the vast majority of cloud security failures are the result of misconfiguration errors resulting from mistakes made during the application development process. A process that more and more is being driven by the software development paradigm called DevOps.
DevOps is a philosophy and approach to software development based on bringing together formerly siloed software development and operations organizations into one collaborative team focused on a single goal or solution. The basic idea is to accelerate application development by having everyone work off the same playbook. The challenge is that, as in many new ways of doing things, it’s far easier said than done. In particular, while development engineers tend to disregard risk in developing new applications, operations team guys tend to be risk adverse. After all, their job is to ensure that their IT systems remain up-and-running around the clock to support their businesses.
The basic idea is to accelerate application development by having everyone work off the same playbook.
The DevOps approach was never really developed with security as a guiding principle. Speed was, and is, the number one priority. An unfortunate result is the seemingly endless headlines about data breaches, ransomware attacks, identity thieves and stolen personal information. So, what’s to be done? A solution that shows tremendous promise derives from DevOps itself. It’s called DevSecOps.
The DevSecOps Framework
DevSecOps is essentially the DevOps concept on security steroids. It’s based on the idea that security should be woven into every phase of the application development process. In a recent report, The Cloud Safety Alliance (CSA), the cloud computing industry’s preeminent organization dedicated to cloud security (Symantec is an executive member), outlined six areas it considers critical to improving the security of the DevOps application development process.
These six focus areas align with the pillars of a new approach to information security management called reflexive security. Reflexive security emphasizes an organization’s collective responsibility for security. It is a holistic approach that sees every process within the IT environment, including the security of the DevOps process, as related to the overall process itself and the needs of the organization.
Along with collective responsibility, the focus areas of DevSecOps include an emphasis on creating a security-aware culture based on collaboration across the entire enterprise. DevSecOps sees the proliferation of point solutions for security in the DevOps process as a reason for many of the security vulnerabilities that result. It urges organizations to take a holistic view of the software lifecycle and consider platform solutions that make it easier to integrate security solutions. It argues that platform solutions offer the added benefit of enabling organizations to identify inflection points in the application development process where security controls can be inserted and automated. This last point, recommending a move to automate is, perhaps, the most significant of all.
Automation the Key to Effective DevSecOps
If there’s a cardinal rule for DevOps, it is “automate everything.” With speed almost always of the essence, the goal is to drive every phase of development by automated processes. The logic is simple: automating processes helps eliminate the current reliance on the manual coding and configuration, testing, deployment and patching practices responsible for the vast majority of cloud security failures.
At the very least, implementing automated quality checks at key junctures in the DevOps process will substantially reduce the time and eventual cost of errors discovered using manual processes. It almost goes without saying that automated processes are clearly more efficient from a process management standpoint. As an old software development mantra paraphrased in the CSA report notes quite succinctly: if you’re doing the same thing three times, it’s time to program it.
Looked at through the lens of DevOps, processes that can be automated should be, and those that can’t should be eliminated. But there are challenges to this approach. One challenge is determining at what point automating a security process does more harm than good. Linking too many development phases into a single automated process, for example, may result in serious incompatibility issues downstream as an organization’s legacy systems roadblock the new application. It’s also why implementing the DevSecOps process emphasizes both planning and collaboration across multiple areas in an organization. Indeed, the CSA notes that implementing DevSecOps initiatives typically require months to several years to implement depending on their scope and complexity.
Looked at through the lens of DevOps, processes that can be automated should be, and those that can’t should be eliminated. But there are challenges to this approach.
But clearly, the results are worth the time, culture change, and commitment. Implementing a modern, automated DevSecOps approach reduces the complexity, time and configuration errors bedeviling the application development process today and the subsequent fallout in data breaches, large-scale hacks of corporate and personal information, and other cloud security errors.
For organizations looking to learn more about integrating automated DevSecOps processes into their digital transformation strategies, CSA members such as Symantec invite you to get in touch. They are there to offer you the expert advice and other technical and resource assistance you may require.