SonarSource added over 5,000 customers in the last 12 months, reaching the 15,000 commercial customers milestone in record time.
DEVOPSdigest posed the following question to the development community: How should DevOps and development adapt to the new normal? In response, DevOps industry experts offered their best recommendations for how development teams can adapt to this new remote work environment. Part 5, the final installment in the series, covers security.
For a long-term, remote work environment to be safe and successful, security tools and processes need to be fully integrated throughout every stage of the development cycle. It's time to build a DevSecOps culture. To do this, form a team that seamlessly embeds security within engineering. You'll need security team members to have expertise up and down the stack — think networking, application access, compliance and architecture. Have security take part in standups and help with scrum planning and execution. Set up real time communications channels, like a Slack channel and email alias — destinations where developers can get input from security as they code. The result? Developers know they can solicit feedback from security at any point in the development lifecycle. And that creates a full-on, immediate feedback loop, which makes it rare that security concerns bubble up in the late stages of the development cycle.
BALANCE SPEED WITH SECURITY
While deployments are faster with individual contributors working remotely, DevOps leaders need to make sure that they balance the speed with security in order to successfully transition and adapt to remote work.
Co-Founder and President, Arkenea
The COVID-19 pandemic has changed working conditions in a profound way. Budget cuts and new workflows owing to a remote structure are causing new strains on DevOps teams. In the face of these challenges, the use of automated technologies and approaches across the entire development cycle must become a priority for improving operational efficiency. The functionality these tools provide by boosting productivity without increasing costs or slowing development cycles has become essential, especially as the pandemic accelerates the rate of patches and new releases as organizations attempt to adapt to this new normal. As organizations adjust existing DevOps methodologies in the context of the pandemic with the goal of increasing release frequency, automated security technologies within the continuous integration, delivery, and deployment (CI/CD) toolchain will be key to maintaining agility.
Global Director Application Security Strategy, Checkmarx
The pandemic and resultant work from home of IT and development teams has increased the vulnerability of software. Strong security measures are needed to be in place before every deployment. Automated security checks for checking vulnerabilities in your architecture are a must when teams are working remotely. Automated infrastructure checks need to be implemented to minimize the chances of vulnerabilities through human error.
Co-Founder and President, Arkenea
APPLICATION SECURITY AUTOMATION AND ORCHESTRATION
The new normal of a highly remote workforce is increasing the requirements for DevOps teams to deliver software capabilities — fast. As DevOps takes off, the spotlight is shining on the need for strong security around those applications. And while developers are now being measured on both the quality and security of their code, they lack the tools and skills needed to meet security expectations. What developers need is an application security automation and orchestration platform that unifies DevOps and security teams by making it easy to integrate security into development without changing the way developers work. By doing so, these teams are able to join forces to ensure the software they deliver is of the highest quality — and the most secure possible.
With a remote workforce, you dramatically increase the attack surface of your network. Every private laptop and VPN used by workers at home represents an additional endpoint that can be exploited by hackers. For remote DevSecOps teams working with Kubernetes, it's important that role-based access control (RBAC) policies are tightened so that workers only have access to containers when absolutely necessary, limiting the ability for attackers on compromised endpoints to propagate attacks laterally between pods and containers, or to escalate privileges and access sensitive data. If attackers do gain entry, Kubernetes audit logs can reveal evidence of anomalous behavior. Reviewing the audit logs can also bring to light evidence of misconfigured RBAC and other vulnerabilities in security policies. With machine learning, you can automate audit log monitoring to flag possible threats before the damage is done.
DevSecOps teams should focus on building out their PAM solutions to avoid credentials being stolen as users VPN in from remote locations, which may not have secure MiFi or WiFi.
Founder and CEO, IT Central Station
Since the shift to remote work, DevOps has completely taken over. Agility is now king. Organizations are using containers, microservices and serverless compute such as lambda that are blending the lines between development, operations and security. As companies look to adopt best practices for DevOps in the "new normal" we are facing, incorporating modern methods of privileged access management (PAM) to protect organizations from cyberattacks becomes key to ensuring the software development pipeline remains intact.
With development, operations and security teams spread out because of the pandemic, organizations need a centralized PAM solution architected in the cloud, for the cloud, to address threats such as credential-based attacks and phishing. PAM solutions that support more modern application-to-application password management (AAPM) approaches can help DevOps teams secure both human and non-human identities even in the remote work environment. Methods such as secure shell (SSH) keys, ephemeral tokens and delegated machine credentials can seamlessly incorporate PAM into the DevOps pipeline. Ensuring secure access that improves an organization's security posture and agility can keep development, operations and security teams on the same wavelength without compromising speed or security.
Cybersecurity Evangelist, Centrify
LOCAL SECURITY APPROVALS
The reality of remote work for software engineering makes the importance of local security approvals even more imperative. To ensure software can be delivered safely at speed, engineering teams should be accountable for the security of changes in the systems they develop and maintain with assistance by a security team that functions as a collaborative advisor. When venturing into unknown situations, like a rapid shift to remote-only work, it can be tempting to implement heavier approval processes — but this ultimately erodes stability by hindering the ability to continuously improve systems.
VP of Product Management & Product Strategy, Capsule8
AUDITING AND COMPLIANCE
The shift to a remote workforce has meant — and will continue to mean — that enterprises are exposing critical container-based applications to the public internet. Increasingly distributed work therefore also increases exposure to both external and insider attacks and data breach threats, if DevOps and DevSecOps teams cannot put countermeasures in place. Run-time auditing and compliance checks through CIS benchmarks, secrets auditing, and custom container audits are basic security requirements that are all the more important for distributed workforces. These strategies will help secure communications and extend the safeguards that protect enterprise networks in distributed work-from-home environments.
VP Product, NeuVector
Given that developers often work with the code that is their employer's core intellectual property — the company's "crown jewels" — their endpoints present a security risk under any circumstances, let alone the expanded attack surface exposed by the shift to more remote and distributed work in response to COVID-19. For companies relying on legacy remote access solutions like VPN, VDI or DaaS, this usually means putting restrictions on endpoints — denying worker access to certain websites; prohibiting third-party applications and/or peripherals; banning the use of personal laptops for company business; denying admin-level permissions on corporate devices, even if each of these restrictions inhibits worker productivity. The answer is to leave those legacy solutions behind and deploy isolated workspaces — OS-based isolation to strongly protect corporate assets, both on corporate-owned devices and on non-corporate devices, allowing developers to work freely without compromising security. An isolated workspace approach puts an end to the outdated notion that developers' freedom of access and corporate security need to be competing priorities.