Last week I had the pleasure of presenting at the Pittsburgh Cybersecurity day in partnership with ISACA. It was exciting to see more than 250 cybersecurity and application security professionals interested in discussing and learning how security can be enabled in a world rapidly adopting DevOps practices.
So, why is putting the Sec in DevSecOps so important today?
According to Gartner research, 2020 is the inflection point where more than 50% of organizations will adopt DevOps practices. This adoption is expected to continue at a rate of 20% year over year for the next 5 years. This accelerated DevOps adoption is justified as it offers many advantages including:
- Faster release times
- Higher SW quality
- Reduced failure rates
- Cost savings
However, with all these advantages there are also some disadvantages. First among these is the risk of releasing vulnerable applications and the concern of being hacked. To understand this better, let’s look at an example:
– 4-6 months release cycles
– Critical security issues wait a minimum of 4 months for a patch, but this not a concern
– Endless manual PT cyclesThe upside? Security is in sync with development speed
– A new build every 2-3 minutes
– Best PT team in the world can’t handle end to end test in less then a day
– 24 hours / 2 minutes = 720 builds a day, or a merge to master multiple times per day
This results in significant vulnerabilities in production as issues are only remediated months after a release is completed!
Now that we understand the problem, where should we focus?
According to the latest Forrester Wave, >70% of security incidents occur at the web layer. With the accelerated adoption of APIs and the less mature threat models for Web Applications and APIs, these risks are continually increasing.
How do you Add the Sec to DevSecOps?
Now that we understand the importance of adding application security into your DevOps environment (adding Sec to DevSecOps), what do you need to do to achieve this?
There are a number of aspects to consider:
- People: Putting the correct organization in place
- Process: Establishing the right processes
- Technology: Implementing solutions that enable you to achieve this
In order to effectively implement DevSecOps an organization needs to share the responsibility (and joy) of security with the development and QA organizations. Due to the increased velocity of development and the ratio between developers and security professionals in the organization (up to 100:1 in many cases), it is impossible to achieve this goal without sharing the ownership for security. You can read more about this in our recent post about security champions and how to create them.
Once the team is in place you need to make sure you have the correct processes to facilitate effective SecOps. These processes include feedback loops for:
- Defining the correct procedures for ensuring security is timely and effective
- Making sure you have the right coverage
- Identifying vulnerabilities early
- Remediating vulnerabilities when they are identified
- Validating the fixes that were implemented
- Facilitating feedback loops for continuous improvement
To learn more about this, you can follow our blog post about it here: https://brightsec.com/blog/devsecops-tooling-best-practices/
Last but certainly not least, you need to implement the correct technology that will enable the organization to effectively implement DevSecOps. These solutions need to be built from the ground up to enable developers and QA professionals to adopt them and must include these key features:
- Seamless integration into the SDLC
- Making sure scans can complete at the speed of DevOps while effectively identifying vulnerabilities.
- Provide different users with different interfaces that will enable them to adopt solutions as part of their standard workflows and not change their flows.
- Eliminate false positives in an automated manner and don’t delay (and annoy) developers by having them waste hours sifting through false positives.
- Provide clear and effective remediation guidelines.
Solutions like Bright are specifically built to enable organizations to add the Sec into DevSecOps.
When implemented correctly, organizations can achieve amazing results.
To learn more about effectively implementing DevSecOps please reach out to Bright and speak with our experts