Playing Offense in the Name of Application Security
August 11, 2020

Christian van den Branden
ZeroNorth

Digital transformation isn't just changing how businesses compete in the marketplace. It is changing how companies operate, especially with regards to security. Traditional models are being pushed aside to make way for more expansive thinking — and that includes a cultural shift within the classic DevOps model.

As one of the core enablers of digital transformation, DevOps integrates digital technology into all aspects of business process, culture and customer experience. It is a philosophical approach to software delivery that empowers collaborative development, team autonomy while speeding time to market. DevOps encourages innovation, promotes a competitive edge and reduces cost without sacrificing velocity or quality. It is a set of practices that can help you optimize an organization's method for developing software through each step of its lifecycle. This sounds great, but it is not always easy to achieve.

Making the Right Moves

To ensure that security is successfully integrated into the DevOps model — and risk is properly addressed — you will need to do more than just embrace the concept of DevOps. You will need to assume an offensive position. And no, this isn't just another sports analogy. Thinking proactively is key to empowering business teams and improving application development. Because when you assume an offensive stance in software development and vulnerability management, you immediately gain more control over the triad of security, risk and compliance.

The time is now to play offense in security. Part of this challenge is uncovering what this really means and how it can be achieved. Effective management of security, risk and compliance in DevOps, as well as the various teams involved, cannot come at the expense of control, consistency and accountability. While these are not the first words that spring to mind when considering DevOps models, they offer some important guidelines on how to approach security with a clear, offensive strategy.

Control

As DevOps continues to evolve as an alternative to traditional waterfall and a natural extension of agile development, there is a risk that security be left behind. To give yourself more control over security and risk management, it is important to make a proactive shift into DevSecOps. This security-enhanced mindset supports the notion of integrated security from the start, a continuous cycle much like an infinity loop, with each phase flowing into the next. Without a closed-loop process, risk managers have no way to validate remediation. Proactively incorporating security earlier in the process creates shorter feedback loops and eases complexity, enabling engineers to find and fix issues more readily.

But we all know, building perfectly secure applications isn't possible. That is why leaders must balance the need for speed and security by embracing the iterative nature of Agile, where progress can be made incrementally over time. Although this may not feel like control, this type of collaborative workflow preserves the teamwork, agility and speed of DevOps while allowing security to integrate at multiple points in the software development lifecycle (SDLC). And the earlier security is introduced into the SDLC, with scanning tools in place at every phase, the more control you have over your application security and vulnerability management program. Without an offensive plan, security will only get harder.

To achieve this without hampering the velocity of teams, it important for your toolchain to give you the ability to centrally define and manage security policies, but enable teams to apply them programmatically within their pipeline.

Consistency

Developers often rely on basic security tools to build applications, but there are no consistent DevOps processes for security testing, and point security tools often fall short of expectations. This means applications may well be deployed into production with critical vulnerabilities — at which point, they are much harder to find and even more expensive to fix. To achieve consistent testing, there is a need to incorporate multiple application security tools and orchestrate their execution within the development process. This will help companies build and deliver applications that are more secure from the outset and support them in effectively meeting business, customer and governance demands.

Consistency in DevOps is also about driving quality standards. To push out top-notch software, as quickly and affordably as possible, you need comprehensive, continuous and accurate visibility into where risk lies — and how it might impact the business. This comes from testing, early and often. Automating your testing to run continuously in deployment, instead of performing manual operations, allows teams to utilize static and dynamic analysis (SAST and DAST), as well as software composition analysis (SCA) for control over open source components, to gain better visibility. Orchestrating these testing processes within a continuous integration and delivery (CI/CD) pipeline is the way to consistently enforce an application security program without impacting the autonomy or velocity of the teams.

Accountability

DevOps isn't all about playing nicely with others. It demands real accountability, especially when things go wrong. Who is ultimately responsible for security in such a model? And how does this accountability question affect the delivery of reliable software? In keeping with the DevOps mentality, both delivery teams and security practitioners play a role in keeping software secure. But when everyone is accountable, sometimes no one is accountable — especially as the size of a company grows.

Without the right tools and processes in place to support the DevOps journey, chaos ensues. This is where proactive, offensive action comes in. Teams cannot gain the visibility they need without the proper tooling and an efficient process in place to know who is responsible for addressing security issues. This is why organizations must begin to focus on adopting tools that optimize visibility into their applications. As more businesses transition into a DevOps mindset, the need for well-defined roles and processes will become increasingly valuable.

This level of accountability happens in the build functions themselves. By creating a loop of constant feedback, where software can be built, analyzed and tested by cross-functional teams — and with automation speeding up the entire delivery process — people can begin to rely on systems for better security. This level of tight integration among development, operations and product security is key to reaching your business goals because it ensures the delivery of a secure product. But many organizations say breaking down walls and building bridges of shared accountability in DevOps is a struggle, both to understand and to implement. The key is to operationalize this within the toolchain itself, leverage ChatOps for alerting, and use reporting capabilities for inspection and review.

Takeaway

All organizations are under pressure to deliver value faster. DevOps is transformational and allows organizations to achieve this goal. In the same vein as quality, application security is not optional. Compromising on security exposes a company to risk, of intellectual property, customer data and/or brand integrity.

The key to ensuring application security happens, without scaling back the velocity of the organization, is to be proactive and offensive. To do so, you will want to apply the mindset of DevOps to your application security program. By investing in the proper tooling, you gain the ability to centrally define security policies but enable teams across the organization to apply them programmatically through automation and orchestration, right within their delivery pipelines.

Using ChatOps for alerting and reporting capabilities to assess the overall risk posture allows organizations to meet their security requirements without impacting the velocity of their teams. It allows them to accelerate software delivery by speeding up the discovery and remediation of security vulnerabilities while offering customer value — quickly and securely.

Christian van den Branden is SVP Engineering at ZeroNorth
Share this

Industry News

September 24, 2020

NetApp announced the availability of Elastigroup for Microsoft Azure Spot Virtual Machines (VMs).

September 24, 2020

CloudBees announced a robust new set of DevSecOps capabilities for CloudBees CI and CloudBees CD. The new capabilities enable customers to perform early and frequent security checks and ensure that security is an integral part of the whole software delivery pipeline workflow, without sacrificing speed or increasing risk.

September 24, 2020

Pulumi announced the release of a Pulumi-native provider for Microsoft Azure that provides 100% coverage of Azure Resource Manager (ARM), the deployment and management service for Azure that enables users to create, update and delete resources in their Azure accounts.

September 23, 2020

Puppet announced new Windows services, integrations and enhancements aimed at making it easier to automate and manage infrastructure using tools Windows admins rely on. The latest updates include services around Group Policy Migration and Chocolatey, as well as enhancements to the Puppet VS Code Extension, and a new Puppet PowerShell DSC Builder module.

September 23, 2020

Red Hat announced the release of Red Hat OpenShift Container Storage 4.5, delivering Kubernetes-based data services for modern, cloud-native applications across the open hybrid cloud.

September 23, 2020

Copado, a native DevOps platform for Salesforce, has acquired ClickDeploy.

September 22, 2020

CloudBees announced general availability of the first two modules of its Software Delivery Management solution.

September 22, 2020

Applause announced the availability of its Bring Your Own Testers (BYOT) feature that enables clients to manage their internal teams – employees, friends, family members and existing customers – and invite them to test cycles in the Applause Platform alongside Applause’s vetted and expert community of testers.

September 22, 2020

Kasten announced the integration of the K10 data management platform with VMware vSphere and Tanzu Kubernetes Grid Service.

September 21, 2020

PagerDuty entered into a definitive agreement to acquire Rundeck, a provider of DevOps automation for enterprise.

September 21, 2020

Grafana Labs announced the release of Grafana Metrics Enterprise, a modern Prometheus-as-a-Service solution designed for the scale, architecture, and security needs of enterprises as they expand their observability initiatives.

September 21, 2020

Portshift's Cloud Workload Protection platform is now available through the Red Hat Marketplace.

September 17, 2020

env0, a developer of Infrastructure-as-Code (IaC) management software, announced the availability of its new open source solution for Terraform users, Terratag.

September 17, 2020

Push Technology announced a partnership with Innova Solutions, an ACS Solutions company, specializing in global information technology services.

September 17, 2020

Alcide achieved the AWS Outposts Ready designation, part of the Amazon Web Services (AWS) Service Ready Program.