Securing DevOps – GRC Perspective
DevOps is a set of practices that combines software development (Dev) and IT operations (Ops) to increase an organisation's ability to deliver applications and services at high velocity. Traditionally, integrating these processes happens at the end of the Dev lifecycle, likely creating inefficiencies. The DevOps, or continuous integration and delivery (CI/CD) approach, provides significant business benefits like business agility through quicker software delivery, increased collaboration, and higher quality.
Figure 1 – DevOps Process
With this paradigm shift in the software delivery methodology, how does security fit into this new approach? Is it possible to completely integrate security into the CI/CD approach without causing any delays that would be detrimental to its key benefit – quicker software delivery?
Let us highlight how DevSecOps (Security-integrated DevOps) can be implemented and delivered without impacting the agility of the overall approach.
The InfoSec Angle
At the core of DevOps implementation, there is heavy reliance on automation for running tests, checks, deployments etc., to build a seamless CI/CD pipeline requiring minimal manual intervention. Integrating security in each of these areas require similar automation without impacting the flow nor the timelines. At the same time, there should be no compromise on the security posture due to these additional requirements. For some, this can sound like a complicated task that they would prefer to avoid. However, careful consideration towards automating most of the traditional security efforts without impacting the core goals of the DevOps will act as an enabler towards enhanced security. From an executive perspective, there are two initiatives that can allow security to be adapted across DevOps and make a significant impact. These initiatives are the consideration of the culture, and the processes and technologies.
The change in the mindset around the concept of security being everyone’s responsibility. This needs to be established and implemented. To do that, it goes without saying that security should be involved from the early stages of software design, and it always feeds back to the development process as it evolves.
Figure 2 – Security involved from early stages of software design
Top Six Cultural Changes Required for Successful DevSecOps Process:
- Ensure that security is not involved in the final stages of software development to point out weaknesses. In fact, including Security and IT Operations functions from the initial stages of software development to build secure and stable software.
- Encourage a collaborative culture where all the functions (Development, Testing, Operations and Security) are involved in security decision making. Ensure that there are frequent touchpoints between the different functions to have effective collaboration.
- Security should not have the veto power to sign-off on all security-related decisions, but instead, it should be a collaborative process. This will encourage the shift in mindset that everyone is responsible for security.
- Communicate that security is a core enabler and built-in the value it provides in every product/service built. Keep this messaging transparent, open and continuous to instill this deep into the culture and for everyone to start realising its value.
- Provide additional training to developers to design code according to security best practices. This would help remove most security weaknesses during the development stages.
- Empower the developers with additional security responsibilities by building security champions within each team. Extend this concept to other functions like testing and operations. Embed security team members into these teams to provide adequate support. Do not expect the security champions to become security experts but possess enough knowledge to guide the team towards the secure approach and escalate issues to the security team members as required.
Processes and Technologies
Key areas like application security, infrastructure security, CI/CD pipeline and security monitoring needs to be realigned according to the core requirements of the DevOps process. Establishing appropriate processes and introducing the relevant technologies is critical to accomplishing security goals without compromising the speedy delivery of software promised by this approach.
Top Six Process and Technology Adaptations for Successful DevSecOps Process:
- Establish framework, tools and technologies to govern security within the DevOps process.
- Automate the core security efforts and ensure that it provides continuous security testing throughout the software delivery cycle.
- Embed all the required security compliance requirements, policies, processes and controls into the CI/CD cycles.
- Ensure that there are minimal false alarms that disrupt the delivery of software in a timely manner.
- Introduce technology into the environment to provide continuous visibility. This will be used for effective security monitoring and incident management.
- Incorporate security architecture design review, application security testing (SAST, DAST and manual testing) and penetration testing within the DevOps process.
According to Verified Market Research, the global DevSecOps market was valued at USD 2.18 Billion in 2019 and is projected to reach USD 17.16 Billion by 2027, growing at a CAGR of 30.76% from 2020 to 2027. This clearly indicates the overwhelming reception and push from the industry regarding the adoption of the DevSecOps process. Though this provides several benefits to organisations this should not come at the cost of reduced security.
Trust, But Verify
Despite any actions taken to enhance the processes and overall security focus, the end result should always be independently tested. Usually, teams tend to “mark their own work” given all the effort put forward to deliver whatever they have been tasked to do. It is of high importance to account for the necessary time to verify the end-solution as a whole.
Organisations can reach out to cyber risk management consultants to review, discuss, optimise and further enhance their DevOps approach/ lifecycle.