DevSecOps Trends,Problems And Solutions – 2019

DevSecOps solves problems around velocity, risk, security consciousness, and software quality.

Author : Tom Smith – Devops Zone

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, “What problems are solved by DevSecOps – where is the greatest value realized?” Here’s what they told us:

Velocity

• Product and company velocity of delivering features to customers. How fast customers are gaining value from new features or client requests. We’re confident to say we are continuously shoring up our defenses. If everything had to be manually vetted, you could not keep up. Confidence in delivering secure, high-quality software.
• With proper attention paid to security, product development and distribution would be much safer and faster.
• Protecting data and applications without affecting business operations. DevOps provides a quicker time to value for customers and does that continuously throughout the product life with the end user. DevOps may ultimately evolve into such an efficient process that it provides real-time deliverables. In that environment, speed is essential. Protecting without impacting is what DevSecOps should strive to become.
• 1) DevSecOps solves for both DevOps and Security/Compliance at the same time. It enables businesses to rapidly bring new applications to market but in a safe and compliant manner, ensuring business requirements are met or exceeded along the way. At the same time, implementing DevSecOps also requires the service organization to mitigate, avoid, transfer and accept any residual risk necessary to operate and reach customers. The greatest benefit to a service organization of DevSecOps is continuously learning from customer feedback though lightning fast application deployments – without having to compromise on security or compliance. 2) In the same way that DevOps helped reduce the psychological distance between the development and operations teams, DevSecOps brings security into the fold and become part of the ongoing engineering process. This has security benefits, of course, but it’s a rising tide that lifts all boats – a secure system will be more reliable and resilient, with a better ability to detect unexpected activities of all kinds.
• DevOps started because of the desire for speed. We’re seeing quicker releases. When I look at the overall market it’s probably the reduction of risk by designing with security baked in from the beginning.
• It comes back to the different kinds of risk that exist. In financial services, there are regulations and fines tied to regulation. How damaging can a breach be to the brand? The cost of implementing good security controls doesn’t have to be extreme. Companies can adjust the amount of work, effort, and cost to the risk they have. If databases have security built in it reduces risk.
• The greatest value of DevSecOps lies not with automation and efficiency, but rather, in the ability to help the business manage cybersecurity risk. This means all DevSecOps activities should focus on managing risk and improving cyber resiliency for the organization.

Security Conscientious

• Security becomes a top motivation. By default, DevOps provides uptime, feature velocity, and scale. If DevOps is working, security is built-in.
• Embracing DevSecOps maintains innovation velocity that translates to the achievement of business goals without skimping on security. More professional DevOps take security seriously being mindful about how things work and how things work securely.
• We have all heard about large organizations being sued and hurting their brand image due to security vulnerabilities in their software and applications, and the applications causing compromise of customer information. DevSecOps ensures that security is a norm and not an afterthought, ensuring developers always develop with the security of applications in mind.
• Culture developed around it. Everyone is responsible for security. Automation of tools to keep up with speed and agility is great. Make sure you’re building security into every phase. Data breaches could be the result of a design flaw, not just bugs. If security is implemented in design the breach may not have secured.
• DevOps in the early days is about moving fast and agility. But then realize you can’t improve speed without improving security. No number of features or availability will stop security incidents. Helping clients ensure security in the fast-moving environment.
• The goals of development teams — speed, flexibility, innovation — can seem at odds with what security teams need to do, and traditional models of security are often perceived as blockers for development. A DevSecOps culture that unites both groups around a shared objective and pushes security “to the left” weaves security steps into developer workflows and results in faster, more secure releases without stifling developer innovation. Whatever the mission of the development organization, a DevSecOps culture supports and enables it, positioning security as a partner for successful software delivery.

Better Software

• Developers become security conscious themselves through interactions and planning exercises you get a better design, to begin with. It’s part of the engineering and builds culture. Things being built are less likely to be compromised even if the security team has never seen. It delivers long-term value. The better software that’s easy to operate.
• 1) Multi-faceted: produce a better product. When you shift the testing requirements left, the support burdened is reduced. The business derives direct tangible value. 2) CX is simply better. Amazon pushes code thousands of time a day with no uptime to deliver a consistently great CX.
• By securing the container environment from the beginning of development and on into production, enterprises can avoid vulnerabilities that arise when security is “bolted on” late in the process – as is still too often the case. Doing so delivers value across the application lifecycle. For instance, integrating security with software development lifecycle tools at the start of the development phase allows for registry image scanning, digital signing, and code analysis to ensure the integrity of code, avoiding costly issues down the road. In the test phase, DevSecOps techniques for reducing the attack surface such as eliminating software vulnerabilities and hardening configurations of services and workloads help prepare a “known good state” ahead of production. At the same time, with more and more enterprises using containers in live production environments, the role of DevSecOps in protecting these most vulnerable environments from attacks is arguably where it offers its greatest value.
• By leaving security testing to the end of the development cycle, it becomes harder to test all of the software components both individually and as an integrated application, and consequently more likely that vulnerabilities remain undiscovered prior to release. Further, when a security issue is discovered late in the development phase, it can be challenging to find the root cause of the issue because so many layers and components are involved. It is also likely that the vulnerable component is shared by additional applications or services that use the same component, meaning that the vulnerability may have spread. By introducing threat modeling early in the cycle, and by mandating security requirements as part of the completion criteria of a user story, it is more likely that vulnerabilities will be detected earlier, making them easier to fix, and reducing the chance of the vulnerability escaping into production and exposing the organization and its clients to risk.

Other

• Codes are defect-free.
• 1) Not going to uncover any big “Ahas” at the end that prevents shipping. 2) Intelligence and knowledge gained by the team. By incorporating security throughout the process, everyone on the team becomes a security expert. You incorporate the security team in a much deeper way than you ever have before. 3) As companies migrate from water/scrum/fall style with a lot of waste where developers are sitting on their hands and gain efficiency where they’re working on the next version and iteration taking the knowledge and practices and incorporating it.
• The greatest value in DevSecOps is in expanding DevOps wins beyond initial pockets of success in small teams within a larger organization. Often, a team within a larger organization is doing really well with a DevOps initiative, and then that initiative stalls. The stall often occurs when engaging other parts of IT that are closer to the business, for example, security, ITSM, and auditing. These teams often have rigid processes that are not conducive to enabling velocity in technology delivery. If you can bring those teams into the fold by addressing their core concerns, you have found the value and you can spread DevOps throughout your organization.
• 1) Security staff becomes more proactive than reactive. 2) Automation frees security staff to focus on higher level issues.
• Your ability to maintain the faith of your customers and ensure they will not be negatively impacted.
• Today, infrastructure is coded, networks are software-defined, and development processes are more agile than ever, making traditional approaches to securing your code and infrastructure inefficient. This new paradigm shift presents an opportunity, as these same new approaches can be leveraged to design security controls into products as they are being built, rather than after the fact. It enables DevSecOps teams to identify and fix problems early on in the delivery process before they manifest and become more expensive and time consuming to fix down the line. This ability to leverage new DevOps approaches to efficiently implement security controls within the framework of standard DevOps workflows is the greatest value of DevSecOps.
• Most organizations are struggling to balance agility and security as they’re facing constant threats from both competition and cyber attacks. Tilt too much towards agility and the business may be opening themselves and their clients to greater risk. Tilt too much towards security can slow down innovation and create opportunities for competitors. Adopting DevSecOps practices, enables organizations to combine the best of agile and security practices. Successful DevSecOps implementations not only accelerate bringing secure applications to market but significantly reduce the time to respond to every increasing threat.
• For DevOps to succeed it must deliver business value at incredible speed; DevSecOps is the only way for DevOps to succeed without sacrificing security.
• Too often, security is being left behind in the name of continuous development and deployment. It’s a huge problem that leaves organizations susceptible to increasingly sophisticated attackers and a big reason why we continue to see serious breaches that compromise sensitive information. By essentially making security an afterthought, organizations are leaving the proverbial door open for attackers, and it’s become a systemic problem. But the culture of DevSecOps is starting to turn the tide and helping organizations proactively address security vulnerabilities before they become a problem.

Here’s who provided their insights:

• Anne Baker, V.P. of Product Management and Marketing, Adaptiva
• Steven Aiello, Solutions Principal, AHEAD
• Gadi Naor, Co-founder and CTO, Alcide
• Mike Stahnke, VP of Platform, CircleCI
• Brian Nash, Director of Product Marketing, and Brian Dawson, DevOps Evangelist, CloudBees
• Michael Rose, Vice President of Engineering, Cybera
• Doug Dooley, COO, Data Theorem
• OJ Ngo, CTO and Co-Founder, DH2i
• Kris Lahiri, Co-founder, Egnyte
• Brian Platz, Co-founder and Co-chairman, Fluree
• Javed Shah, Director of Product Management for Cloud and DevOps, ForgeRock
• Malcolm Isaacs, Senior Solutions Manager, Application Delivery Management, Micro Focus
• Gary Duan, CTO,NeuVector
• Yogesh Badwe, Director of Information Security, Okta
• Franklin Mosley, Senior Application Security Engineer/Evangelist, PagerDuty
• David Strauss, CTO and Co-founder, Pantheon
• Jeff Keyes, Director of Product Marketing, Plutora
• Vishnu Nallani, VP & Head of Innovation, Qentelli
• Sheng Liang, Co-founder and CEO, and Shannon Williams, Co-founder and VP Sales & Marketing, Rancher Labs
• Gene Yoo, CEO, Resecurity
• Altaz Valani, Research Director, SecurityCompass
• Jim Hansen, V.P. Products, SolarWinds
• Colby Dyess, Director of Cloud Marketing, Tufin
• Tim Hinrichs, CTO and co-founder, Styra
• Joseph Feiman, CSO, WhiteHat Security
• Andrei Bezdedeanu, VP of Engineering, ZeroNorth
• Tim Reilly, COO and CFO, Zettaset

Brought to you by HunterTech A DevSecOps company based out Bangalore.

Source: Dzone