DevOps Meets Security: How DevSecOps Paves the Way to Consistent Policies
In this article
It is vital to build security into the DevOps code development process. While appreciation of security will grow as more people understand the challenges of developing public cloud architecture—and the risks associated with having basic, inconsistent application services across multicloud environments—the appreciation cannot come fast enough.
How can we expedite the process of getting more people involved and onboard quickly?
In many software development organizations, security is not a software development design consideration or requirement; it's an afterthought. Even if organizations want to include security into their design or requirements, they may not have experts who know how to build security into their software development lifecycle (SDLC) and CI/CD process.
The reality is, applications are being deployed faster and with more frequency, in response to demands from the business. There is an urgency to deploy applications, but there should also be an urgency to build with the necessary security.
Think about how business and development teams have gone from multi-tier architectures to leveraging an API-first strategy—to segmentation and microservices. Are you really surprised to see such an increase in breach reports, malicious bot activity and application attacks? At WWT, we hear many of the same application services and security challenges over and over:
- Lack of consistent security policies.
- Little to no visibility into application health and security risk.
- Lack of automation and patching and integration with SAST/DAST scans.
- Microservices riddled with vulnerabilities.
We continue to have conversations around these challenges because applications are the new edge. Business-critical applications and the data they collect, or access, are typically an organization's most valuable assets, yet security budgets are commonly focused on security products that offer little to no protection against application or credential attacks.
Something seems out of balance.
An F5 Labs study, spanning 12 years, showed 86 percent of breaches started with an attack that targeted the application itself or a user with credentials for the app. Organizations need to make application security and credential protection a top priority.
Fortunately, modernized processes can help reduce risk, maintain compliance and stop web attacks while delivering applications faster.
Let's think about the balance between faster code deployments and security again. Why is it so hard to determine a proper balance? Is it a limitation in technology, or is it people?
Many organizations pride themselves on their culture. For example, at WWT our culture is really the glue that holds everything together and defines who we are as an organization. With that said, culture is also one of the hardest things to change. Unfortunately, there comes a time when business changes so much that the people must change with it. They must adapt and align to a new way of doing things. Moving from paper to machine, machine to mobile, mobile to AI – it's an evolution that we've all been through. In fact, for many, it was needed in order to stay relevant and survive. More than ever, you have to break the silos with effective communication and actually collaborate, becoming one team on the same mission in order to be successful with digital transformation.
DevOps is an example where a change in culture has proven success; however, the DevOps practice is missing one very important component. Security. Without consistent application services and security being built into deployments, we have created a digital Wild, Wild West. By simply adding security to the DevOps practice, you'll have thorough governance across the organization. With security being top-of-mind for many executives and board members, DevSecOps makes sense in the mesh of a more connected world and should be adopted at a rapid pace.
According to Devsecops.org, "The purpose and intent of DevSecOps is to build on the mindset that 'everyone is responsible for security' with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required."
Many organizations are rapidly deploying applications. But they consider security an afterthought, especially when deploying in the cloud.
What enables a good multicloud service anyways?
- Automation and Orchestration
Working in concert, these attributes allow for repeatable tasks and integration with toolsets that can orchestrate processes, making apps more portable, predictable and agile. We have to be mindful of integrating and securing the CI/CD pipeline and the importance of securing workloads.
But wait, what about security? Having secure applications services built in to these tasks makes a GREAT multicloud service. As I mentioned before, security is a top concern for business leaders. It should be consistent across all applications and environments, regardless of where they live.
Wouldn't you agree?
ROLEPLAY: You're a CISO responsible for ensuring compliance with this policy: Identify, detect and mitigate threats to all corporate applications while following our cloud-first strategy and using native tools wherever possible.
Without consistency in application services it's difficult to comply with this policy due to a lack of consistent tools, limitations, manual policies, and functional differences between on-premise tools and cloud-native tools. A lack of centralized access controls and web application firewall policies results in reduced visibility, increased operational costs, security and auditing concerns.
With DevSecOps, modern standardized processes can help you reduce risk, maintain consistency and compliance, and stop web attacks while delivering applications faster.
Having a consistent application services policy provides a higher level of security and minimizes operational cost, while making applications more portable, predictable and agile. Allowing customers to move the app when and where they'd like, without decreasing the security posture, keep the data, connection and codebase for all applications top-of-mind.
Would you move an application to the cloud if you knew it increased risk and reduced visibility?
As I mentioned above, we need more people to understand the challenges of developing public cloud architecture and the risks associated with basic, inconsistent application services across multicloud environments.
Below are some of the challenges in developing public cloud architecture and the risks associated with basic inconsistent application services across multicloud environments:
- Basic security with no SAST/DAST vulnerability patching automation.
- Siloed services with non-portable investments and vendor lock-in.
- Inconsistent policies across environments create security vulnerabilities.
- Increased operation costs.
- Disparate interfaces and toolsets.
- No central point of control.
- Inconsistent features and terminology.
It's more efficient to have advanced application services that offer feature parity across all environments, including on-premise applications. This makes applications more secure and highly portable without cloud lock-in. Additionally, these advanced services can actually reduce your overall cloud spend by mitigating automated bot traffic and filtering out malicious request. Why wouldn't you want to provide the same level of security that is provided in on-premise data centers today, with consistent policies across all environments?
Stay tuned for a follow-up blog where I'll continue to discuss the benefits of applications services in multicloud environments. Focusing on the risk of BOTS and how to mitigate them and actually decrease your public cloud spend.
In the meantime, think about what you would do differently, or how you can help align your organization to DevSecOps and keep security top-of-mind. Check out a recent blog by my colleague – Building Automation into Your Organization.